Cisco Cisco Web Security Appliance S690 User Guide

You can choose how to handle the root certificates issued by the Web Security appliance:

Inform users to accept the root certificate. You can inform the users in your organization what the 
new policies are at the company and tell them to accept the root certificate supplied by the 
organization as a trusted source.

Add the root certificate to client machines. You can add the root certificate to all client machines 
on the network as a trusted root certificate authority. This way, the client applications automatically 
accept transactions with the root certificate. To verify you distribute the root certificate the appliance 
is using, you can download the root certificate from the Security Services > HTTPS Proxy page. 
Click Edit Settings, and then click the Download Certificate link for either the generated or 
uploaded certificate.

You might want to download the root certificate from the appliance if a different person uploaded 
the root certificate to the appliance and you want to verify you distribute the same root certificate to 
the client machines.

To reduce the possibility of client machines getting a certificate error, submit the changes 
after you generate or upload the root certificate to the Web Security appliance, then 
distribute the certificate to client machines, and then commit the changes to the appliance. 

Authentication at the HTTPS connection layer is available for these types of requests:

explicit requests with

secure client authentication disabled or

secure client authentication enabled and an IP-based surrogate

Root certificate information either 
generated or uploaded in the Web 
Security appliance.

Validity period specified in either 
the generated or uploaded root 
certificate.

Requested HTTPS server.