Cisco Cisco Web Security Appliance S670 User Guide
10-21
Cisco IronPort AsyncOS 7.0 for Web User Guide
OL-23079-01
Chapter 10 Decryption Policies
Enabling the HTTPS Proxy
openssl rsa -inform DER -in
key_in_DER
-outform PEM -out
out_file_name
For DSA keys, use the following command:
openssl dsa -inform DER -in
key_in_DER
-outform PEM -out
out_file_name
For more information about using OpenSSL, see the OpenSSL documentation, or
visit
visit
http://openssl.org.
Enabling the HTTPS Proxy
To monitor and decrypt HTTPS traffic, you must enable the HTTPS Proxy on the
Security Services > HTTPS Proxy page. When you enable the HTTPS Proxy, you
must configure what the appliance uses for a root certificate when it sends
self-signed server certificates to the client applications on the network. You can
upload a root certificate and key that your organization already has, or you can
configure the appliance to generate a certificate and key with information you
enter.
Security Services > HTTPS Proxy page. When you enable the HTTPS Proxy, you
must configure what the appliance uses for a root certificate when it sends
self-signed server certificates to the client applications on the network. You can
upload a root certificate and key that your organization already has, or you can
configure the appliance to generate a certificate and key with information you
enter.
Once the HTTPS Proxy is enabled, all HTTPS policy decisions are handled by
Decryption Policies. You can no longer define Access and Routing Policy group
membership by HTTPS, nor can you configure Access Policies to block HTTPS
transactions. If some Access and Routing Policy group memberships are defined
by HTTPS and if some Access Policies block HTTPS, then when you enable the
HTTPS Proxy those Access and Routing Policy groups become disabled. You can
choose to enable the policies at any time, but all HTTPS related configurations are
removed.
Decryption Policies. You can no longer define Access and Routing Policy group
membership by HTTPS, nor can you configure Access Policies to block HTTPS
transactions. If some Access and Routing Policy group memberships are defined
by HTTPS and if some Access Policies block HTTPS, then when you enable the
HTTPS Proxy those Access and Routing Policy groups become disabled. You can
choose to enable the policies at any time, but all HTTPS related configurations are
removed.
Note
When you upload a certificate to the Web Security appliance, verify it is a signing
certificate and not a server certificate. A server certificate cannot be used as a
signing certificate, so decryption does not work when you upload a server
certificate.
certificate and not a server certificate. A server certificate cannot be used as a
signing certificate, so decryption does not work when you upload a server
certificate.
For more information about root certificates, see