Cisco Cisco Web Security Appliance S190 Guía Del Usuario
22-27
AsyncOS 9.1 for Cisco Web Security Appliances User Guide
Chapter 22 Perform System Administration Tasks
Certificate Management
Step 2
Click Generate New Certificate and Key.
a.
In the Generate Certificate and Key dialog box, enter the necessary generation information.
Note
You can enter any ASCII character except the forward slash ( / ) in the Common Name field.
b.
Click Generate in the Generate Certificate and Key dialog box.
When generation is complete, the certificate information is displayed in the Certificate section,
along with two links: Download Certificate and Download Certificate Signing Request. In
addition, there is a Signed Certificate option that is used to upload the signed certificate when you
receive it from the Certificate Authority (CA).
along with two links: Download Certificate and Download Certificate Signing Request. In
addition, there is a Signed Certificate option that is used to upload the signed certificate when you
receive it from the Certificate Authority (CA).
Step 3
Click Download Certificate to download the new certificate for upload to the appliance.
Step 4
Click Download Certificate Signing Request to download the new certificate file for transmission to a
Certificate Authority (CA) for signing. See
Certificate Authority (CA) for signing. See
for more
information about this process.
a.
When the CA returns the signed certificate, click Browse in the Signed Certificate portion of the
Certificate field to locate the signed-certificate file, and then click Upload File to upload it to
the appliance.
Certificate field to locate the signed-certificate file, and then click Upload File to upload it to
the appliance.
b.
Ensure the CA’s root certificate is present in the appliance’s list of trusted root certificates. If it is
not, add it. See
not, add it. See
for more information.
Certificate Signing Requests
The Web Security appliance cannot generate Certificate Signing Requests (CSR) for certificates
uploaded to the appliance. Therefore, to have a certificate created for the appliance, you must issue the
signing request from another system. Save the PEM-formatted key from this system because you will
need to install it on the appliance later.
uploaded to the appliance. Therefore, to have a certificate created for the appliance, you must issue the
signing request from another system. Save the PEM-formatted key from this system because you will
need to install it on the appliance later.
You can use any UNIX machine with a recent version of OpenSSL installed. Be sure to put the appliance
hostname in the CSR. Use the guidelines at the following location for information on generating a CSR
using OpenSSL:
hostname in the CSR. Use the guidelines at the following location for information on generating a CSR
using OpenSSL:
http://www.modssl.org/docs/2.8/ssl_faq.html#ToC28
Once the CSR has been generated, submit it to a certificate authority (CA). The CA will return the
certificate in PEM format.
certificate in PEM format.
If you are acquiring a certificate for the first time, search the Internet for “certificate authority services
SSL server certificates,” and choose the service that best meets the needs of your organization. Follow
the service’s instructions for obtaining an SSL certificate.
SSL server certificates,” and choose the service that best meets the needs of your organization. Follow
the service’s instructions for obtaining an SSL certificate.
Note
You can also generate and sign your own certificate. Tools for doing this are included with OpenSSL,
free software from
free software from
http://www.openssl.org
.
Intermediate Certificates
In addition to root certificate authority (CA) certificate verification, AsyncOS supports the use of
intermediate certificate verification. Intermediate certificates are certificates issued by a trusted root CA
which are then used to create additional certificates. This creates a chained line of trust. For example, a
intermediate certificate verification. Intermediate certificates are certificates issued by a trusted root CA
which are then used to create additional certificates. This creates a chained line of trust. For example, a