What does Zscaler consider an untrusted server certificate?
If you have SSL inspection enabled, whenever a user attempts to access an HTTPS site, the Zscaler service intercepts the HTTPS request, and through a separate SSL tunnel, sends its own HTTPS request to the destination server. During the SSL handshake with the destination server, the Zscaler service verifies the status of the destination server certificate. The destination server certificate is considered untrusted by the service if it meets one or more of the following conditions:
- The server certificate issuer is unknown or is not trusted by the service.
- The server certificate is revoked and is listed in the Certification Revocation List (CRL) delivered by the issuer.
- There is at least one expired certificate in the certificate chain for the server certificate.
How the Service Treats Untrusted Certificates
When the server certificate is untrusted, you have the option to Allow, Pass Through, or Block the user’s transaction. See image below.
- Allow: The service allows access to sites with untrusted certificates. Zscaler certificate warnings are not displayed to users. Note: The local browser may display a certificate warning.
- Pass Through: Certificate warnings are displayed to users, and they can decide to proceed to the site. Note: The browser may display a certificate warning.
- Block: The service blocks access to sites with untrusted certificates. A block notification is displayed to users.
Skipping Inspection for Trusted Sites
You may want to select the Pass Through or Block options generally so that users are warned against or blocked from accessing sites with untrusted certificates. But there may also be specific sites that you trust – sites whose certificates you don’t need verified by the Zscaler service, and which you want users to access without any issues. In such scenarios, you can specify that the service skip decryption for those sites. This way, you can still warn users against or block sites with untrusted certificates in general, but allow users to access specific trusted sites without issues. For instructions, see How do I skip inspection for traffic to specific URLs or cloud apps? The Zscaler service will not decrypt transactions to sites you add in this field.