Cisco Cisco Web Security Appliance S670 User Guide
U P L O A D I N G C E R T I F I C A T E S T O T H E W E B S E C U R I T Y A P P L I A N C E
C H A P T E R 2 2 : S Y S T E M A D M I N I S T R A T I O N
515
The certificate you upload to the appliance must meet the following requirements:
• It must use the X.509 standard.
• It must include a matching private key in PEM format. DER format is not supported.
• The private key must be unencrypted.
The Web Security appliance cannot generate Certificate Signing Requests (CSR). Therefore, to
have a certificate created for the appliance, you must issue the signing request from another
system. Save the PEM-formatted key from this system because you will need to install it on the
appliance later.
have a certificate created for the appliance, you must issue the signing request from another
system. Save the PEM-formatted key from this system because you will need to install it on the
appliance later.
You can use any UNIX machine with a recent version of OpenSSL installed. Be sure to put the
appliance host name in the CSR. Use the guidelines at the following location for information
on generating a CSR using OpenSSL:
appliance host name in the CSR. Use the guidelines at the following location for information
on generating a CSR using OpenSSL:
http://www.modssl.org/docs/2.8/ssl_faq.html#ToC28
Once the CSR has been generated, submit it to a certificate authority (CA). The CA will return
the certificate in PEM format.
the certificate in PEM format.
If you are acquiring a certificate for the first time, search the Internet for “certificate authority
services SSL server certificates,” and choose the service that best meets the needs of your
organization. Follow the service’s instructions for obtaining an SSL certificate.
services SSL server certificates,” and choose the service that best meets the needs of your
organization. Follow the service’s instructions for obtaining an SSL certificate.
Note — You can also generate and sign your own certificate. Tools for doing this are included
with OpenSSL, free software from
with OpenSSL, free software from
http://www.openssl.org
.
Intermediate Certificates
In addition to root certificate authority (CA) certificate verification, AsyncOS supports the use
of intermediate certificate verification. Intermediate certificates are certificates issued by a
trusted root CA which are then used to create additional certificates. This creates a chained
line of trust. For example, a certificate may be issued by example.com who, in turn, is granted
the rights to issue certificates by a trusted root CA. The certificate issued by example.com
must be validated against example.com’s private key as well as the trusted root CA’s private
key.
of intermediate certificate verification. Intermediate certificates are certificates issued by a
trusted root CA which are then used to create additional certificates. This creates a chained
line of trust. For example, a certificate may be issued by example.com who, in turn, is granted
the rights to issue certificates by a trusted root CA. The certificate issued by example.com
must be validated against example.com’s private key as well as the trusted root CA’s private
key.
Uploading Certificates to the Web Security Appliance
To upload a digital certificate to the Web Security appliance, use the
certconfig
command.
The following example shows a certificate being uploaded. You can also add intermediate
certificates from this command.
certificates from this command.
example.com> certconfig
Currently using the demo certificate/key for HTTPS management access.
Choose the operation you want to perform:
- SETUP - Configure security certificate and key.
- SETUP - Configure security certificate and key.