Validation of Public and Internally-Issued CA Certificates

Feature Request: Validation of Public and Internally-Issued CA Certificates


Connections from Coveo’s indexing service to public or internal data sources should be done over fully validated TLS connections, checking the data source certificate for: time validity, that it was issued by a CA that chains up to something the indexers trust, not revoked (via CRL/OCSP), and issued for the hostname of the data source. In connecting to customer data sources that are not protected by a publicly trusted CA certificate, the indexing process should throw a user-visible exception that it was unable to securely establish a connection. The customer then would be able to, on a per application/data source basis, reconfigure the connection properties such that these exceptions are:

  • Ignored (current behavior), or
  • Allow the customer to upload the root CA certificate for the internal CA


Posting the root CA certificate for a given data source should only apply to that application or customer instance, and should not be usable for other customer’s data source certificate validation..

  • JP Ciceri
  • Dec 15 2016
I need it... Yesterday (let's go already)
  • Attach files