Digital Certificates

For TMWS to determine that a web server's signature is trusted, the root Certificate Authority (CA) certificate on which the signature is based must be added to the TMWS certificate store.

For more information about digital certificates, see About Digital Certificates.

Before managing digital certificates, ensure that Enable certificate management under Global Settings is set to On.

  1. Go to Policies > HTTPS Inspection > Digital Certificates.
  2. Configure the CA Certificates tab:
    Note:

    This tab only collects and displays root and intermediate CA certificates.

    Task

    Details

    View existing CA certificates

    1. Switch among Trusted CA Certificates, Untrusted CA Certificates, and Inactive CA Certificates from the drop-down list to see which CA certificates are trusted or untrusted by, and unknown to TMWS.

    2. View the CA certificate information:

      • Common Name: CommonName (CN) field in the CA certificate.

      • Type: Type of the CA certificate, which is Root or Intermediate.

      • Expires at: Date and time when the CA certificate becomes invalid.

      • Status: Whether the CA certificate expired or not. indicates that the certificate expired and serves as a reminder to the administrator to take action on it.

    3. Click a CommonName under Common Name to view the certificate details.

    Add a CA certificate

    Add CA certificates to the Trusted CA Certificates or Untrusted CA Certificates lists:

    1. Click Add.

    2. On the Add CA Certificate screen that appears, click choose file and select a certificate to upload.

      Note:

      TMWS supports uploading CA certificates in .pem or .p7b format.

    3. Click Add.

    Note:

    If TMWS encounters an unknown CA certificate, it automatically saves it in the Inactive CA Certificates list.

    TMWS saves no more than 100 inactive CA certificates in total. It checks the expiry of these certificates on a daily basis and automatically deletes the expired ones.

    Move a CA certificate

    • To move a trusted CA certificate to the Untrusted CA Certificates list, select it and click Move to Untrusted.

      This CA certificate is still kept in the TMWS certificate store, but TMWS does not trust certificates that use it in their certification path.

    • To move an untrusted CA certificate to the Trusted CA Certificates list, select it and click Move to Trusted.

      Certificates that use this CA certificate in their certification path are trusted.

    • To move an inactive CA certificate to the Trusted CA Certificates or Untrusted CA Certificates list, select it and click More > Move to Trusted or Move to Untrusted.

    Sort the CA certificate information

    Sort the information in ascending or descending order in either of the following ways:

    • Click the title area of a column.

    • Click the up or down arrow at the right of the title area of a column.

    Search for a CA certificate

    Type a keyword or part of the keyword related to either column in the table in the Search text box.

    Note:

    If there are many entries in the table, type some characters in the Search text box to narrow down the entries. As you type, the entries that match the characters you typed are displayed immediately. TMWS searches all cells in the table for matches.
  3. Configure the Certificate Exceptions tab:

    This tab collects and displays the end certificates that fail to pass the certificate validation test and the certificates that the administrator needs to set special actions according to the organization's information security policies.

    When users attempts to access a website whose certificate does not pass the certificate validation test for the first time, TMWS automatically adds the certificate to the exceptions list and displays a warning page for users to choose whether to continue. By default, Action is set to Warn and can be changed as necessary. TMWS will process subsequent attempts to websites using this certificate according to the update.

    You can also manually add a certificate exception.

    Task

    Details

    Add/Edit a certificate exception

    See Configuring A Certificate Exception.

    View existing certificate exceptions

    The Common Name, Description, Type, and Action fields automatically populate with the related data after a certificate exception is added.

    Delete a certificate exception

    Select one or several certificate exceptions to delete and then click Delete.
Parent topic: HTTPS Inspection