* Certs and Web Appliance

Question

Does the web appliance work with * certs? It seems that every time I see an organization with a cert issued to *.company.com, the web appliance does not allow access to the page until I add that site to the bypass list for SSL. It says that the site certificate is not valid although I cannot find any problems with it. Am I doing something wrong?

Here's an example site:

https://www.ctspurchasing.com/

Jason

This thread was automatically locked due to age.

PParker · Accepted Answer

When a root certificate authority (CA) is known to the system, we trust the certificates used by secured sites that are signed by that root CA. However, when intermediate CA’’’’s are involved, we want to be able to validate them as well, because we do not know whether, or not, these intermediate CAs can be trusted – Often, the intermediate CA’’’’s are not the same company as the root CA.  If you have a longer chain (root signs inter1, inter1 signs inter2, inter2 signs the end certificate), then the potential risk increases. So to be cautious about it, we require the intermediate CA’’’’s to validate the certificates used by secured sites (if they are signed by a chain). If you find us missing intermediate CA’’’’s, then please contact us in the Administration Web Interface > Help > Sophos Support.  We will gladly investigate and include legitimate intermediate CA’’’’s in our system.  Thank you. :3563