Pass Through Host Certificate Validation

Note: By default, schannel (MSCAPI) is responsible for validating the host certificate chain received during SSL/TLS handshake. Schannel runs several checks on the received certificate chain, one of which verifies that the signature affixed to the certificate is valid. The hash value computed on the certificate contents must match the value that results from decrypting the signature field using the public component of the issuer. To perform this operation, the user must own the public component of the issuer, either through some integrity-assured channel or by extracting it from another (validated) certificate. The default certificate validation process is exhaustive and runs several checks on the host certificate chain to successfully validate it. Enable this option, the user must effectively suppress the default validation done by schannel and the identity of the host would not be verified. As we are skipping the host certificate validation, the status bar is updated with the following message: “Skip the certificate validation since pass-through host certificate validation option is enabled.” Using this option is not recommended.

When the Host certificate is not added to the trusted root and “Pass-Through Host Certificate Validation” is enabled, a pop-up is displayed. Users can suppress this pop-up by adding the “SuppressPassThroughPopup=Y” keyword under the “[Security]” section in the pcswin.ini file. By default, SuppressPassThroughPopup is disabled.