Cisco Cisco Web Security Appliance S170 Guía Del Usuario
11-8
Cisco IronPort AsyncOS 7.7.5 for Web User Guide
Chapter 11 Processing HTTPS Traffic
Managing Certificate Validation and Decryption for HTTPS
Certificates that are Invalid for Multiple Reasons
For server certificates that are invalid due to both an unrecognized root authority and an expired
certificate, the HTTPS proxy performs the action that applies to unrecognized root authorities.
certificate, the HTTPS proxy performs the action that applies to unrecognized root authorities.
In all other cases, for server certificates that are invalid for multiple reasons simultaneously, the HTTPS
Proxy performs actions in order from the most restrictive action to the least restrictive action.
Proxy performs actions in order from the most restrictive action to the least restrictive action.
Untrusted Certificate Warnings for Decrypted Connections
When the Web Security appliance encounters an invalid certificate and is configured to decrypt the
connection, AsyncOS creates an untrusted certificate that requires the end-user to accept or reject the
connection. The common name of the certificate is “Untrusted Certificate Warning.”
connection, AsyncOS creates an untrusted certificate that requires the end-user to accept or reject the
connection. The common name of the certificate is “Untrusted Certificate Warning.”
Adding this untrusted certificate to the list of trusted certificates will remove the end user’s option to
accept or reject the connection.
accept or reject the connection.
When AsyncOS generates one of these certificates, it creates a proxy log entry with the text “Signing
untrusted key” or “Signing untrusted cert”.
untrusted key” or “Signing untrusted cert”.
Enabling HTTPS Certificate Validation and Content Decryption
Step 1
Navigate to the Security Services > HTTPS Proxy page, and click Enable and Edit Settings.
Step 2
Read the terms of the HTTPS Proxy License Agreement, and click Accept.
Step 3
Verify the Enable HTTPS Proxy field is enabled.
Step 4
Specify the ports for which the appliance should serve as HTTPS Proxy. Separate multiple port numbers
with commas. Port 443 is the default port.
with commas. Port 443 is the default port.
Note
The maximum number of ports for which the Web Security appliance can serve as proxy is 30, which
includes both HTTP and HTTPS. See
includes both HTTP and HTTPS. See
, for information about
specifying the ports for which the appliance serves as HTTP proxy.
Step 5
Either upload or generate a root/signing certificate to use for decryption.
Note
If the appliance has both an uploaded certificate and key pair and a generated certificate and key pair, it
only uses the certificate and key pair currently selected in the Root Certificate for Signing section.
only uses the certificate and key pair currently selected in the Root Certificate for Signing section.
Related topics
•
•