Cisco Cisco Web Security Appliance S690 User Guide

The appliance can perform one of the following actions for invalid server certificates:

Drop. 

Decrypt. 

Monitor. 

For server certificates that are invalid due to both an unrecognized root authority and an expired 
certificate, the HTTPS proxy performs the action that applies to unrecognized root authorities.

In all other cases, for server certificates that are invalid for multiple reasons simultaneously, the HTTPS 
Proxy performs actions in order from the most restrictive action to the least restrictive action.

When the Web Security appliance encounters an invalid certificate and is configured to decrypt the 
connection, AsyncOS creates an untrusted certificate that requires the end-user to accept or reject the 
connection. The common name of the certificate is “Untrusted Certificate Warning.” 

Adding this untrusted certificate to the list of trusted certificates will remove the end user’s option to 
accept or reject the connection.

When AsyncOS generates one of these certificates, it creates a proxy log entry with the text “Signing 
untrusted key” or “Signing untrusted cert”. 

Enable the HTTPS Proxy. 

Security Services > HTTPS Proxy.

Click Edit Settings.

Select Use Uploaded Certificate and Key.

Click Browse for the Certificate field to navigate to the certificate file stored on the local machine.

If the file you upload contains multiple certificates or keys, the Web Proxy uses the first certificate or 
key in the file.

Click Browse for the Key field to navigate to the private key file. 

The key length must be 512, 1024, or 2048 bits. 

Select Key is Encrypted if the key is encrypted.

Click Upload Files to transfer the certificate and key files to the Web Security appliance.

The uploaded certificate information is displayed on the Edit HTTPS Proxy Settings page.