Cisco Cisco Web Security Appliance S360 User Guide

I M P O R T I N G   A   T R U S T E D   R O O T   C E R T I F I C A T E

C H A P T E R   1 0 :   D E C R Y P T I O N   P O L I C I E S

 211

I M P O R T I N G   A   TR U S T E D   R O O T   C E R T I F I C A T E

When the Web Proxy receives a connection request for an HTTPS server, it validates the 
trustworthiness of the destination server by verifying the root certificate authority that signed 
the server certificate. If the Web Proxy does not recognize the root certificate that signed the 
server certificate, then it does not trust the server certificate. This happens when the HTTPS 
server uses a certificate authority that is not listed in the set of trusted certificate authorities 
that ship with the Web Security appliance. This might happen if your organization uses an 
internal certificate authority to sign certificates for servers on the internal network.

To prevent the Web Proxy from potentially blocking access to servers with unrecognized root 
certificate authorities, you can upload to the appliance root certificates that your organization 
trusts. For example, you might want to upload a root certificate used by the servers on your 
network.

You can upload multiple root certificate files to the appliance, and each file you upload can 
contain multiple root certificates. However, each certificate you upload must be a root 
certificate.

To import a trusted root certificate:

1. Navigate to the Security Services > HTTPS Proxy page.

2. In the Custom Root Authority Certificates section, click Import.

3. In the Import Custom Root Authority Certificate File, click Browse.

4. Navigate to the location where the custom root authority certificate file is located and 

click Open.

5. Click Submit.

The uploaded root certificate is displayed in the “Custom Root Authority Certificates” 
section.

6. Optionally, repeat steps 2 through 5 to upload additional trusted root certificates.

7. Commit your changes.