Native Browser CA
This feature aims at providing an option for you to configure the product in a way that it generates server certificates during TLS Handshake to allow the browsers to show native behavior.
Secure Web Gateway will validate the Server certificate during Certificate verification process if HTTP Scanning and Certificate verification rules are enabled in the policy. Using this feature, you will now have an option of “Preserve/Mimic Server Certificate” behavior instead of the typical block option on certificate errors.
Property evaluation in rules:
There are two types of properties in SWG related to Certificate handling.
1. Those that do not require any configuration or setting (a few examples are listed below, but not limited to these)
- Expired Certificates
- Self-Signed Certificates
- Common name mismatch
- Key type/size strength
These properties of the server certificate will be preserved/mimicked without these properties being evaluated in the policy. That means, there is no need for these properties to be evaluated for SWG to preserve this behavior.
2. Properties that take a configuration/ setting (a few examples are listed below, but not limited to these)
- Revocation status
- UnTrusted/UnknownCA
For these to be mimicked, at least one of the "property that takes configuration" must be evaluated in the policy. For example, for "revocation status" to be mimicked, in the policy during "Certificate Verification", at least one property that takes configuration must be evaluated. For example, a sample rule like below must be evaluated.
"SSL.Server.CertificateChain.ContainsRevoked<Default> equals "true"or "false" → Continue (action)"
This one property evaluation is enough, for others to work as well, like the Unknown CA, etc.
To Enable this feature follow these steps:
- Enable the Event “Enable Native Browser CA”,
- This event should be configured in the Certificate Verification ruleset in the policy (“CERTVERIFY” command name criteria). Customers can customize their certificate verification rules as per their requirements, either by disabling them or by changing the “block“ action.
- The " Enable Native Browser CA " event has a configuration/setting. You should provide the "Untrusted CA" with which to sign to generate "unknown/untrusted CA" certificate.
- For mimicking a few behaviors like revoked, unknown CA, untrusted CA, there should be a rule configured in the policy to evaluate at least one of these properties.