Verifying the server certificate and uploading an untrusted certificate

You can enable server certificate validation to block traffic from servers with untrusted certificates or with certificate verification errors. You can also allow traffic from such servers and sign the server certificate with an untrusted Kaspersky NGFW certificate. To do this, you need to upload an untrusted certificate and a private key for this certificate.

Before enabling server certificate verification, make sure that the Management VRF is specified as the VRF in the Services section for system services.

To enable certificate verification:

  1. In the main menu of the Open Single Management Platform Console, go to the Application & Services → NGFW section.

    This opens the Policy tab.

  2. In the SSL Inspection section, select General.
  3. Set the Decrypt encrypted connections toggle switch to On.
  4. Under Certificate validation, set the Validate server certificate toggle switch to On.
  5. Select an Session action in case of server certificate errors:
    • Block to block the session and send a TCP RST to the client side and to the server side for TCP sessions if any server certificate error occurs.
    • Allow with untrusted certificate to allow the session and sign the server certificate with an untrusted root certificate.
  6. If necessary, enable logging for server certificate errors. In this case, the reasons for certificate validation errors are logged in the SSL inspection log.
  7. If you select the Allow with untrusted certificate action, you need to upload an untrusted certificate:
    1. Under Untrusted CA certificate, add a certificate. To do so, click the Select button to open the file selection window and select the certificate file. If the certificate cannot be uploaded, an error message is displayed with the reason why.

      The certificate must satisfy the following requirements:

      • The file must be in a text format (PEM) or binary format (ASN.1).
      • We recommend using a .crt, .cer, .cert, or .pem file. However, other formats are permitted.
      • The certificate must be valid. You cannot download an expired certificate or a certificate that has not yet become valid.
      • The Common name must be specified.
      • The Organization field must be specified.

      After the certificate is successfully uploaded, detailed information about this certificate is displayed.

    2. Under Private key for untrusted CA certificate upload the private key of the certificate. To do so, click the Select button to open the file selection window and select the private key file.

      The private key must satisfy the following requirements:

      • The key must be encrypted with a password.
      • The password must match the downloaded certificate.
    3. In the opened window, enter the password for the private key of the certificate and click OK.
  8. Apply the OSMP policy changes by clicking the Commit and push button.

Server certificate verification is enabled, the untrusted certificate and private key are saved in the Open Single Management Platform policy.

To avoid unauthorized access to traffic, the private key file must be stored in a secure location.

Page top