Cisco Cisco Web Security Appliance S690 User Guide
Chapter 10 Decryption Policies
Decrypting HTTPS Traffic
10-16
Cisco IronPort AsyncOS 7.0 for Web User Guide
OL-23079-01
For example, the appliance removes the Authority Key Identifier and the
Authority Information Access X509v3 extensions.
Authority Information Access X509v3 extensions.
Working with Root Certificates
The Web Security appliance mimics the HTTPS server to which a client originally
sent a connection request. In order to establish a secure connection with the client
pretending to be the requested server, the appliance must send a server certificate
to the client signed by a root certificate authority configured in the appliance.
sent a connection request. In order to establish a secure connection with the client
pretending to be the requested server, the appliance must send a server certificate
to the client signed by a root certificate authority configured in the appliance.
When you enable the HTTPS Proxy on the appliance, you can configure the root
certificate information that the appliance uses to sign its server certificates. You
can enter root certificate information in the following ways:
certificate information that the appliance uses to sign its server certificates. You
can enter root certificate information in the following ways:
•
Generate. You can enter some basic organization information and then click
a button so the appliance generates the rest of the certificate and a private key.
You might want to generate a certificate and key when your organization does
not have a certificate and key in use, or when it wants to create a new and
unique certificate and key.
a button so the appliance generates the rest of the certificate and a private key.
You might want to generate a certificate and key when your organization does
not have a certificate and key in use, or when it wants to create a new and
unique certificate and key.
•
Upload. You can upload a certificate file and its matching private key file
created outside of the appliance. You might want to upload a certificate and
key file if the clients on the network already have the root certificates on their
machines.
created outside of the appliance. You might want to upload a certificate and
key file if the clients on the network already have the root certificates on their
machines.
The certificate and key files you upload must be in PEM format. DER format
is not supported. For more information about convert a DER formatted
certificate or key to PEM format, see
is not supported. For more information about convert a DER formatted
certificate or key to PEM format, see
Note
The certificate you upload must contain “basicConstraints=CA:TRUE” to
work with Mozilla Firefox browsers. This constraint allows Firefox to
recognize the root certificate as a trusted root authority.
work with Mozilla Firefox browsers. This constraint allows Firefox to
recognize the root certificate as a trusted root authority.
For more information about how to generate or upload a certificate and key, see
However, typically, the root certificate information you generate or upload in the
appliance is not listed as a trusted root certificate authority in client applications.
By default in most web browsers, when users send HTTPS requests, they will see
a warning message from the client application informing them that there is a
appliance is not listed as a trusted root certificate authority in client applications.
By default in most web browsers, when users send HTTPS requests, they will see
a warning message from the client application informing them that there is a