Cisco Cisco Web Security Appliance S670 Fehlerbehebungsanleitung

Contributed by Josh Wolfer, Cisco TAC Engineer.

Jun 11, 2014

Introduction
Certificate Overview
     Root Certificates
     Server Certificates
Related Information 

This document describes the type of certificate that should be used for HTTPS decryption on a Cisco Web
Security Appliance (WSA).

The WSA has the ability to use a current certificate and private key for use with HTTPS decryption. However,
there might be confusion about the type of certificate that should be used, since not all x.509 certificates work.

There are two major types of certificates: Server certificates and Root certificates. All x.509 certificates
contain a Basic Constraints field, which identifies the type of certificate:

Subject Type=End Entity − Server certificate

• 

Subject Type=CA − Root certificate

• 

Note: You must use a Root certificate, also referred to as a Certificate Authority (CA) Signing certificate, for
HTTPS decryption on the WSA.

A Root certificate is specifically created in order to sign server certificates. You can create and operate your
own CA and sign your own server certificates.

Note: Since a Root certificate only signs other certificates, it cannot be used on a web server in order to
perform HTTPS encryption and decryption.

The WSA must use a Root certificate in order to actively generate server certificates for HTTPS decryption.
There are two options available for Root certificate usage:

Generate a root certificate on the WSA. The WSA creates its own Root certificate and private key,
and it uses this key pair in order to sign Server certificates.

•