Cisco Cisco Web Security Appliance S380 User Guide
11-10
AsyncOS 9.0.1 for Cisco Web Security Appliances User Guide
Chapter 11 Create Decryption Policies to Control HTTPS Traffic
Root Certificates
Step 5
(Optional) Expand the Advanced configuration section and configure the settings described below.
Step 6
Submit and Commit Changes.
Trusted Root Certificates
The Web Security appliance ships with and maintains a list of trusted root certificates. Web sites with
trusted certificates do not require decryption.
trusted certificates do not require decryption.
You can manage the trusted certificate list, adding certificates to it and functionally removing certificates
from it. While the Web Security appliance does not delete certificates from the master list, it allows you
to override trust in a certificate, which functionally removes the certificate from the trusted list.
from it. While the Web Security appliance does not delete certificates from the master list, it allows you
to override trust in a certificate, which functionally removes the certificate from the trusted list.
Adding Certificates to the Trusted List
Before You Begin
•
Verify that the HTTPS Proxy is enabled. See
Step 1
Security Services > HTTPS Proxy.
Step 2
Click Manage Trusted Root Certificates.
Step 3
Click Import.
Step 4
Click Browse and navigate to the certificate file.
Field Name
Description
OCSP Valid
Response Cache
Timeout
Response Cache
Timeout
Time to wait before rechecking a valid OCSP response in seconds (s), minutes
(m), hours (h), or days (d). Default unit is seconds. Valid range is from 1 second
to 7 days.
(m), hours (h), or days (d). Default unit is seconds. Valid range is from 1 second
to 7 days.
OCSP Invalid
Response Cache
Timeout
Response Cache
Timeout
Time to wait before rechecking an invalid OCSP response in seconds (s),
minutes (m), hours (h), or days (d). Default unit is seconds. Valid range is from
1 second to 7 days.
minutes (m), hours (h), or days (d). Default unit is seconds. Valid range is from
1 second to 7 days.
OCSP Network Error
Cache Timeout
Cache Timeout
Time to wait before attempting to contact the OCSP responder again after
failing to get a response in seconds (s), minutes (m), hours (h), or days (d).
Valid range from 1 second to 24 hours.
failing to get a response in seconds (s), minutes (m), hours (h), or days (d).
Valid range from 1 second to 24 hours.
Allowed Clock Skew
Maximum allowed difference in time settings between the Web Security
appliance and the OCSP responder in seconds (s) or minutes (m). Valid range
from 1 second to 60 minutes.
appliance and the OCSP responder in seconds (s) or minutes (m). Valid range
from 1 second to 60 minutes.
Maximum Time to
Wait for OCSP
Response
Wait for OCSP
Response
Maximum time to wait for a response from the OCSP responder. Valid range is
from 1 second to 10 minutes. Specify a shorter duration to reduce delays in end
user access to HTTPS requests in the event that the OCSP responder is
unavailable.
from 1 second to 10 minutes. Specify a shorter duration to reduce delays in end
user access to HTTPS requests in the event that the OCSP responder is
unavailable.
Use upstream proxy
for OCSP checking
for OCSP checking
Group Name of the upstream proxies.
Servers exempt from
upstream proxy
upstream proxy
IP addresses or hostnames of the servers to exempt. May be left blank.