Cisco Cisco Web Security Appliance S670 User Guide

For server certificates that are invalid due to both an unrecognized root authority and an expired 
certificate, the HTTPS proxy performs the action that applies to unrecognized root authorities.

In all other cases, for server certificates that are invalid for multiple reasons simultaneously, the HTTPS 
Proxy performs actions in order from the most restrictive action to the least restrictive action.

When the Web Security appliance encounters an invalid certificate and is configured to decrypt the 
connection, AsyncOS creates an untrusted certificate that requires the end-user to accept or reject the 
connection. The common name of the certificate is “Untrusted Certificate Warning.” 

Adding this untrusted certificate to the list of trusted certificates will remove the end user’s option to 
accept or reject the connection.

When AsyncOS generates one of these certificates, it creates a proxy log entry with the text “Signing 
untrusted key” or “Signing untrusted cert”. 

Navigate to the Security Services > HTTPS Proxy page, and click Enable and Edit Settings.

Read the terms of the HTTPS Proxy License Agreement, and click Accept. 

Verify the Enable HTTPS Proxy field is enabled.

Specify the ports for which the appliance should serve as HTTPS Proxy. Separate multiple port numbers 
with commas. Port 443 is the default port.

The maximum number of ports for which the Web Security appliance can serve as proxy is 30, which 
includes both HTTP and HTTPS. See 

, for information about 

specifying the ports for which the appliance serves as HTTP proxy.

Either upload or generate a root/signing certificate to use for decryption.

If the appliance has both an uploaded certificate and key pair and a generated certificate and key pair, it 
only uses the certificate and key pair currently selected in the Root Certificate for Signing section.