Identify Untrusted CA Certificates

Find sites that have untrusted CA certificates so you can make informed decisions about allowed traffic.
Blocking access to sites with untrusted CA certificates and certificates self-signed by an untrusted root CA is a best practice because sites with untrusted CAs may indicate a man-in-the-middle attack, a replay attack, or other malicious activity.
  1. Ensure that you
    Block sessions with untrusted issuers
    in the Forward Proxy Decryption profile (
    Objects
    Decryption
    Decryption Profiles
    ) to block sites with untrusted CAs.
    strict-decryption-profile.png
    When you block sessions with untrusted issuers in the Decryption profile, the Decryption log (
    Monitor
    Logs
    Decryption
    ) logs the error.
  2. Filter the log to identify sessions that failed due to revoked certificates using the query
    (error eq ‘Untrusted issuer CA’
    ).
    error-eq-untrusted-issuer-ca.png
  3. (
    Optional
    ) Double-check the certificate expiration date at the Qualys SSL Labs site.
    Enter the hostname of the server (
    Server Name Identification
    column of the Decryption log) in the
    Hostname
    field and
    Submit
    it to view certificate information for the host.

Recommended For You