Issues with speed or validation of HTTPS site certificates can be caused by the certificate authority lists being blocked from updating.
Browsers use publicly available certificate authority lists to validate HTTPS certificates from various parties. These certificate authority lists are updated regularly and browsers will automatically update their certificate stores if they have access to the CRL/SSL sites.
To make sure all browsers can reach those list and update their certificate store, ensure the following rule is in place on your configuration.
- Create an authentication exception for the SSL / CRL category, see Creating authentication exceptions.
-
Create a web filter policy with these settings:
- Who = Everyone
- What = SSL / CRL
- Where = Everywhere
- When = Always
- Action = Do not inspect
- Make sure that you move the policy above any block rules.
This enables the certificate revocation check to work correctly for all applications.