Find sites that have untrusted CA certificates so you
can make informed decisions about allowed traffic.
Blocking access to sites with untrusted CA
certificates and certificates self-signed by an untrusted root CA
is a best practice because sites with untrusted CAs may indicate
a man-in-the-middle attack, a replay attack, or other malicious
activity.
Ensure that you
Block sessions with untrusted
issuers
in the Forward Proxy Decryption profile (
Objects
Decryption
Decryption Profiles
) to block
sites with untrusted CAs.
When you block sessions with untrusted issuers in the Decryption
profile, the Decryption log (
Monitor
Logs
Decryption
)
logs the error.
Filter the log to identify sessions that failed due to
revoked certificates using the query
(error eq ‘Untrusted issuer CA’
).
(
Optional
) Double-check the certificate expiration
date at the Qualys SSL Labs site.