Matching Traffic on Certificate Status

Before you begin

Add a trusted CA object or group to your SSL policy. See Trusting External Certificate Authorities for more information.

Procedure

Step 1	In the management center, click Policies > Access Control > Decryption.
Step 2	Add a new policy or edit an existing policy.
Step 3	Add a new TLS/SSL rule or edit an existing rule.
Step 4	In the Add Rule or Editing Rule dialog box, choose Cert Status.
Step 5	For each certificate status, you have the following options: Choose Yes to match against the presence of that certificate status. Choose No to match against the absence of that certificate status. Choose Any to skip the condition when matching the rule. In other words, choosing Any means the rule matches whether the certificate status is present or absent.
Step 6	Add or continue editing the rule.

Example

The organization trusts the Verified Authority certificate authority. The organization does not trust the Spammer Authority certificate authority. The system administrator uploads the Verified Authority certificate and an intermediate CA certificate issued by Verified Authority to the system. Because Verified Authority revoked a certificate it previously issued, the system administrator uploads the CRL that Verified Authority provided.

The following figure shows a certificate status rule condition checking for valid certificates, those issued by a Verified Authority, are not on the CRL, and still within the Valid From and Valid To date. Because of the configuration, traffic encrypted with these certificates is not decrypted and inspected with access control.

Example of SSL policy with rule condition that matches valid certificates not in a CRL with valid dates

The following figure shows a certificate status rule condition checking for the absence of a status. In this case, because of the configuration, it matches against traffic encrypted with a certificate that has not expired and monitors that traffic.

Example of SSL policy with rule conditions that match in the absence of status

The following graphic illustrates a certificate status rule condition that matches on the presence or absence of several statuses. Because of the configuration, if the rule matches incoming traffic encrypted with a certificate issued by an invalid user, self-signed, invalid, or expired, it decrypts the traffic with a known key.

Example of matching SSL policy rule using several criteria

The following graphic illustrates a certificate status rule condition that matches if the SNI of the request matches the server name or if the CRL is not valid. Because of the configuration, if the rule matches either condition, traffic is blocked.

Example of an SSL policy rule matching the server SNI name or invalid CRL

What to do next

Deploy configuration changes.