Verify Options
Verify options for Trusted Vendors allow you to specify parameters for validating a certificate by ignoring or allowing specific attributes. The certificate must be valid for the rule to be applicable, but there are different levels of validation with which you can configure a certificate.
The advanced options are available when adding metadata for files, by clicking Verify Options.
Altering the settings using the Advanced Certificate Options could reduce the level of security required to validate a certificate.
The Verify Options dialog displays the current status of a certificate and gives access to Expiry Date and Advanced Certificate options. The verify options are available from:
- Certificates for trusted vendors
- Metadata for allowed or denied files and folders
When you add a certificate, Application Control checks to see if it is valid and displays the result of the check in the Current Verification Status message box. The check is performed each time an option in this dialog is updated. For example, the certificate could be invalid due to an untrusted root certificate. If the Allow untrusted roots option is subsequently selected, Application Control checks the certificate again and updates the status to show that certificate validation is successful.
You can also choose whether to enforce the expiry date of the certificate. The default setting is that Application Control ignores the expiry date of certificates so they remain valid indefinitely. If you choose to enforce the expiry date, the certificate is unverified after that date and the vendor is no longer trusted.
Advanced Certificate Options
Advanced certificate options allow you to specify parameters for validating a certificate by ignoring or allowing specific attributes. The certificate must be valid for the rule to be applicable, but there are different levels of validation with which you can configure a certificate.
Altering the settings using the Advanced Certificate Options could reduce the level of security required to validate a certificate and present a security risk.
Apply the following settings when determining certificate verification:
- Ignore CTL revocation errors - Ignore errors when obtaining Certificate Trust List (CTL) revocation.
- Ignore CA revocation errors - Ignore errors when obtaining Certificate Authority (CA) revocation.
- Ignore end Certificate revocation errors - Ignore errors when obtaining the end certificate, or user certificate, revocation is unknown.
- Ignore root revocation errors - Ignore errors when obtaining valid root revocation
- Ignore CTL not time valid error - Ignores that the certificate trust list is not valid, for example, the certificate may have expired.
- Ignore time nesting errors - Ignores that the Certificate Authority (CA) certificate and the issued certificate have validity periods that are not nested.
- Ignore basic constraint errors - Ignores that the basic constraints are not valid.
- Ignore invalid name errors - Ignores that the certificate has an invalid name.
- Ignore invalid policy errors - Ignores that the certificate has an invalid policy.
- Ignore invalid usage errors - Ignores that the certificate was not issued for the current use.
- Allow untrusted roots - Ignores that the root cannot be verified due to an unknown certificate authority.
The CA certificate may be valid from January 1st to December 1st, and the issued certificate from January 2nd to December 2nd. This means that the validity periods are not nested.