Cisco Cisco Web Security Appliance S360 Troubleshooting Guide
Why does WSA strip CRL information from
generated certificates while decrypting HTTPS
traffic?
generated certificates while decrypting HTTPS
traffic?
Document ID: 118283
Contributed by David Paschich and Siddharth Rajpathak, Cisco TAC
Engineers.
Aug 13, 2014
Engineers.
Aug 13, 2014
Contents
Questions
Environment
Symptoms
Environment
Symptoms
Questions
Why does the Cisco Web Security Appliance (WSA) strip CRL information from generated
certificates while decrypting HTTPS traffic?
certificates while decrypting HTTPS traffic?
1.
When generating a "spoofed" server certificate during SSL decryption, the WSA strips the certificate
revocation list (CRL) from the original certificate. Why is this done?
revocation list (CRL) from the original certificate. Why is this done?
2.
Environment
WSA any version, HTTPS proxy and SSL decryption enabled.
Symptoms
The CRL information in the original server certificate is no longer present in the generated certificate while
decrypting HTTPS traffic on WSA, and thus clients cannot confirm whether the certificate has been revoked.
decrypting HTTPS traffic on WSA, and thus clients cannot confirm whether the certificate has been revoked.
The WSA strips the CRL information because it is no longer valid for the generated certificate. The
explanation involves an understanding of how CRLs work.
explanation involves an understanding of how CRLs work.
A certificate authority (CA) can optionally maintain a list of certificates that it considers no longer valid,
called a certificate revocation list, or CRL. A certificate may be revoked for a variety of reasons − the CA
may determine that the entity that requested the certificate is not who they said they were, or the private key
associated with the certificate may be reported stolen. Clients that are validating a web server identity based
on a signed server certificate may consult the CRL to confirm that the certificate has not been revoked.
called a certificate revocation list, or CRL. A certificate may be revoked for a variety of reasons − the CA
may determine that the entity that requested the certificate is not who they said they were, or the private key
associated with the certificate may be reported stolen. Clients that are validating a web server identity based
on a signed server certificate may consult the CRL to confirm that the certificate has not been revoked.
A CRL contains a list of certificates which have been revoked by a particular CA and that list is then signed
by the CA. Revoked certificates are identified by serial number. A client can retrieve this CRL and then
confirm that the server certificate is not listed in the CRL. The URL for downloading the CRL is usually
included as a field in the certificate. As a practical manner, most clients do not validate certificates against a
CRL.
by the CA. Revoked certificates are identified by serial number. A client can retrieve this CRL and then
confirm that the server certificate is not listed in the CRL. The URL for downloading the CRL is usually
included as a field in the certificate. As a practical manner, most clients do not validate certificates against a
CRL.
When the WSA is decrypting HTTPS or SSL traffic, it does this by generating a new server certificate and
signing it with its own internal CA (certificate uploaded or generated under the HTTPS proxy section).
signing it with its own internal CA (certificate uploaded or generated under the HTTPS proxy section).