Cisco Cisco Web Security Appliance S170 Guía Del Usuario
11-12
Cisco IronPort AsyncOS 7.7.5 for Web User Guide
Chapter 11 Processing HTTPS Traffic
Managing Certificate Validation and Decryption for HTTPS
•
Certificate Revocation List (Comodo certificates only). The Web Security appliance checks
Comodo’s certificate revocation list. Comodo maintains this list, updating it according to their own
policies. Depending on when it was last updated, the certificate revocation list may be out of date at
the time the Web Security appliance checks it.
Comodo’s certificate revocation list. Comodo maintains this list, updating it according to their own
policies. Depending on when it was last updated, the certificate revocation list may be out of date at
the time the Web Security appliance checks it.
•
Online Certificate Status Protocol (OCSP). The Web Security appliance checks the revocation
status with the issuing certificate authority in real time. If the issuing certificate authority supports
OCSP, the certificate will include a URL for real-time status checking. This feature is enabled by
default for fresh installations and disabled by default for updates.
status with the issuing certificate authority in real time. If the issuing certificate authority supports
OCSP, the certificate will include a URL for real-time status checking. This feature is enabled by
default for fresh installations and disabled by default for updates.
Note
The Web Security appliance only performs the OCSP query for certificates that it determines to be valid
in all other respects and that include the OCSP URL.
in all other respects and that include the OCSP URL.
Related Topics
•
•
Enabling Real-Time Revocation Status Checking
Before you Begin
•
Ensure the HTTPS Proxy is enabled. See
Step 1
Navigate to Security Services > HTTPS Proxy.
Step 2
Click Edit Settings.
Step 3
Select Enable Online Certificate Status Protocol (OCSP).
Step 4
Configure the OCSP Result Handling properties,
Cisco recommends configuring the OCSP Result Handling options to the same actions as Invalid
Certificate Handling options. For example, if you set Expired Certificate to Monitor, configure Revoked
Certificate to monitor.
Certificate Handling options. For example, if you set Expired Certificate to Monitor, configure Revoked
Certificate to monitor.
Step 5
(Optional) Expand the Advanced configuration section and configure the settings described in
Table 11-1
.
Table 11-1
OCSP Configuration Fields
Field Name
Description
OCSP Valid Response Cache Timeout
Time to wait before rechecking a valid OCSP response in
seconds (s), minutes (m), hours (h), or days (d). Default unit
is seconds. Valid range is from 1 second to 7 days.
seconds (s), minutes (m), hours (h), or days (d). Default unit
is seconds. Valid range is from 1 second to 7 days.
OCSP Invalid Response Cache Timeout
Time to wait before rechecking an invalid OCSP response in
seconds (s), minutes (m), hours (h), or days (d). Default unit
is seconds. Valid range is from 1 second to 7 days.
seconds (s), minutes (m), hours (h), or days (d). Default unit
is seconds. Valid range is from 1 second to 7 days.
OCSP Network Error Cache Timeout
Time to wait before attempting to contact the OCSP responder
again after failing to get a response in seconds (s), minutes
(m), hours (h), or days (d). Valid range from 1 second to 24
hours.
again after failing to get a response in seconds (s), minutes
(m), hours (h), or days (d). Valid range from 1 second to 24
hours.