Identify Untrusted CA Certificates
Table of Contents
Identify Untrusted CA Certificates
Find sites that have untrusted CA certificates so you
can make informed decisions about allowed traffic.
Blocking access to sites with untrusted CA
certificates and certificates self-signed by an untrusted root CA
is a best practice because sites with untrusted CAs may indicate
a man-in-the-middle attack, a replay attack, or other malicious
activity.
- Ensure that you Block sessions with untrusted
issuers in the Forward Proxy Decryption profile () to block
sites with untrusted CAs.
![]()
When you block sessions with untrusted issuers in the Decryption profile, the Decryption log () logs the error. - Filter the log to identify sessions that failed due to
revoked certificates using the query (error eq ‘Untrusted issuer CA’).
![]()
- (Optional) Double-check the certificate expiration
date at the Qualys SSL Labs site.Enter the hostname of the server (Server Name Identification column of the Decryption log) in the Hostname field and Submit it to view certificate information for the host.
