For
Deep Discovery Web
Inspector to determine if a server’s signature is trusted, the
root Certification Authority (CA) certificate on which the signature is based must
be added to
the
Deep Discovery Web
Inspector certificate store.
There are three types of digital certificates that are involved in producing a
digital signature:
-
The "end" or "signing" certificate, which contains the public key to be used to
validate the actual digital signature.
-
One or more "intermediate" Certification Authority (CA) certificates, which
contain the public keys to validate the signing certificate or another intermediate
certificate
in the chain.
-
The "root" CA certificate, which contains the public key used to validate the
first intermediate CA certificate in the chain (or, rarely, the signing certificate
directly).
An otherwise valid signature is "trusted" by Deep Discovery Web
Inspector if
the CA certificate of the signature is known to Deep Discovery Web
Inspector
and is active.
If Deep Discovery Web
Inspector encounters
an unknown CA certificate during SSL handshake processing, it automatically saves
the certificate
in the Inactive CA Certificates list. Intermediate and root CA
certificates are collected in this way. If required later, a CA certificate collected
in this way
can be "activated" (made trusted or untrusted by Deep Discovery Web
Inspector so
that the signatures of websites depending on it can be processed as valid or invalid.
Accessing secure resources that traverse through a Deep Discovery Web
Inspector appliance with an untrusted
or expired certificate displays a security warning in the web browser.
