Using AIA entries for certificate downloads

Certificates missing in a chain of server certificates that a client requires for SSL-secured communication can be downloaded using URLs that are specified in Authority Information Access (AIA) entries. AIA entries are included in the last certificate of a certificate chain.

Note: The information provided here regarding SSL also applies when the newer version of this protocol known as TLS (Transport Layer Security) is used.

AIA downloads are performed by the Certificate Chain module (or engine) of Web Gateway, which acts as a proxy in this communication. Only one AIA download is performed per handshake. Downloaded certificates are cached for 24 hours and re-used for other connections.

A certificate chain is considered complete once it ends in a trusted certificate authority (CA). If SSL-secured connections are tunneled, for example, due to whitelisting or for client authentication, the client must also obtain the missing certificates, which can again be achieved using URLs specified in AIA entries.

To enable AIA downloads, you must make sure that the setting for this download is selected on the user interface of Web Gateway. The setting is selected by default.

The setting is part of the Default settings for the Certificate Chain module. It can also be accessed when editing the Certificate chain filters element in the key elements view of the SSL Scanner rule set.