Cisco Cisco Web Security Appliance S190 Guía Del Usuario
11-9
AsyncOS 9.1 for Cisco Web Security Appliances User Guide
Chapter 11 Create Decryption Policies to Control HTTPS Traffic
Root Certificates
Step 4
Submit and Commit Changes.
Options for Certificate Revocation Status Checking
To determine whether the issuing certificate authority has revoked a certificate, the Web Security
appliance can check with the issuing certificate authority in these ways:
appliance can check with the issuing certificate authority in these ways:
•
Certificate Revocation List (Comodo certificates only). The Web Security appliance checks
Comodo’s certificate revocation list. Comodo maintains this list, updating it according to their own
policies. Depending on when it was last updated, the certificate revocation list may be out of date at
the time the Web Security appliance checks it.
Comodo’s certificate revocation list. Comodo maintains this list, updating it according to their own
policies. Depending on when it was last updated, the certificate revocation list may be out of date at
the time the Web Security appliance checks it.
•
Online Certificate Status Protocol (OCSP). The Web Security appliance checks the revocation
status with the issuing certificate authority in real time. If the issuing certificate authority supports
OCSP, the certificate will include a URL for real-time status checking. This feature is enabled by
default for fresh installations and disabled by default for updates.
status with the issuing certificate authority in real time. If the issuing certificate authority supports
OCSP, the certificate will include a URL for real-time status checking. This feature is enabled by
default for fresh installations and disabled by default for updates.
Note
The Web Security appliance only performs the OCSP query for certificates that it determines to be valid
in all other respects and that include the OCSP URL.
in all other respects and that include the OCSP URL.
Related Topics
•
•
Enabling Real-Time Revocation Status Checking
Before You Begin
•
Ensure the HTTPS Proxy is enabled. See
Step 1
Security Services > HTTPS Proxy.
Step 2
Click Edit Settings.
Step 3
Select Enable Online Certificate Status Protocol (OCSP).
Step 4
Configure the OCSP Result Handling properties,
Cisco recommends configuring the OCSP Result Handling options to the same actions as Invalid
Certificate Handling options. For example, if you set Expired Certificate to Monitor, configure Revoked
Certificate to monitor.
Certificate Handling options. For example, if you set Expired Certificate to Monitor, configure Revoked
Certificate to monitor.
Invalid leaf certificate
There was a problem with the leaf certificate, for example, a rejection,
decoding, or mismatch problem.
decoding, or mismatch problem.
All other error types
Most other error types are due to the appliance not being able to complete
the SSL handshake with the HTTPS server. For more information about
additional error scenarios for server certificates, see
http://www.openssl.org/docs/apps/verify.html.
the SSL handshake with the HTTPS server. For more information about
additional error scenarios for server certificates, see
http://www.openssl.org/docs/apps/verify.html.
Certificate Error Type
Description