Imperva Cyber Community

 View Only
  • 1.  ⭐Imperva Insights: Custom Certificate vs. Incapsula Certificate

    Posted 10-23-2019 15:27
    Hi everyone - 

    Time for #ImpervaInsights ! Our Customer Success team gets many frequently asked questions, including this one below:

    We are using our custom certificate and Incapsula certificate, however we are unsure of which certificate will be presented. 

    What do our product experts have to say? 

    The preferred certificate will be the custom certificate. The Incapsula/Cloud WAF certificate will only be presented to the non-SNI clients. 

    What further questions do you have on certificates? 


    Christopher Detzel
    Community Manager
    Dallas TX

  • 2.  RE: ⭐Imperva Insights: Custom Certificate vs. Incapsula Certificate

    Posted 11-04-2019 15:51
    When using Imperva generated certificate and also the custom certificate then...

    First, let's understand what is SNI client and NON-SNI client

    SNI stands for Server Name Indication (as part of the TLS extensions)
    This allows a server to present multiple certificates on the same IP address.

    SNI Clients:
    The client that supports TLS SNI can indicate the name of the server to which the client is attempting to connect during the SSL handshake process,
    The server that supports the TLS SNI can use this information to select the appropriate SSL certificate to return to the client in the ServerHello
    during the SSL Handshake.

    The client that NOT supports TLS SNI cannot indicate the server, to which the client is attempting to connect during the SSL handshake process,
    As a result, the client using the standard TLS protocol, the server might send the wrong certificate to the client
    Because it does not yet know which certificate the client is looking for.

    If the client using both certificates then,

    SNI client - the Custom certificate will be presented.
    NON-SNI client - Imperva certificate will be presented

    Also, we have a mechanism called "SSL Pooling"
    SSL pooling works on our proxies and cannot be disabled or removed, This is valid for both Imperva and custom certificates.
    Imperva stores certificates in SSL POOL and will always prefer to serve the custom certificates that include a SAN
    That corresponds to the domain in question.

    By default, when the site doesn't have a Custom Certificate installed we will serve the Imperva generated certificate,
    Unless the proxy finds another certificate in its Custom Certificates pool that includes a SAN that corresponds to the domain in question.

    Norbert Libor

  • 3.  RE: ⭐Imperva Insights: Custom Certificate vs. Incapsula Certificate

    Posted 11-07-2019 12:53
    Hello Norbert. According to your answer, you may help me with this situation:
    I currently have a site protected with Incapsula with a personalized certificate. The website is a Citrix netscaler that contains an application farm and when you run any of these applications it generates the following error.

    According to the image it is detected that the WAF is presenting the Imperva certificate and not the personalized one generating an error.

    Why when doing an SSL test to the website, it detects the personalized certificate and a second certificate that corresponds to Imperva's but does not have any alternative name corresponding to the protected site.

    The following image corresponds to an example of another site protected by Imperva, there the certificate of Imperva if it has associated the site it is protecting and its status is correct.

    victor pinzon