In some scenario customer might see custom certificate when they access their site, even when the custom certificate is not active for the site .
Reason being the Imperva proxy first checks to see if a custom certificate was uploaded to the specific site. If one is not found, the proxy looks at other sites in the same account.
If the proxy identifies a certificate uploaded to another site in same account that has a SAN corresponding to the site , then that custom certificate is used.
However the above behavior is different for the websites onboarded to Imperva after October 20, 2021, the proxy now selects a certificate in this order:
- The website's custom certificate.
- The Imperva-generated certificate.
- A custom certificate from another website in any account with a SAN corresponding to the website in question.
Note : If customer would like sites onboarded before Oct 20, 2021 to follow the new behaviour, customer can contact imperva Support to enforce the new behavior