Cisco Cisco Web Security Appliance S160 Guía Del Usuario
11-6
AsyncOS 9.1 for Cisco Web Security Appliances User Guide
Chapter 11 Create Decryption Policies to Control HTTPS Traffic
Root Certificates
You can choose how to handle the root certificates issued by the Web Security appliance:
•
Inform users to accept the root certificate. You can inform the users in your organization what the
new policies are at the company and tell them to accept the root certificate supplied by the
organization as a trusted source.
new policies are at the company and tell them to accept the root certificate supplied by the
organization as a trusted source.
•
Add the root certificate to client machines. You can add the root certificate to all client machines
on the network as a trusted root certificate authority. This way, the client applications automatically
accept transactions with the root certificate.
on the network as a trusted root certificate authority. This way, the client applications automatically
accept transactions with the root certificate.
Step 1
Security Services > HTTPS Proxy.
Step 2
Click Edit Settings.
Step 3
Click the Download Certificate link for either the generated or uploaded certificate.
Note
To reduce the possibility of client machines getting a certificate error, submit the changes after you
generate or upload the root certificate to the Web Security appliance, then distribute the certificate to
client machines, and then commit the changes to the appliance.
generate or upload the root certificate to the Web Security appliance, then distribute the certificate to
client machines, and then commit the changes to the appliance.
Managing Certificate Validation and Decryption for HTTPS
The Web Security appliance validates certificates before inspecting and decrypting content.
Valid Certificates
Qualities of a valid certificate:
•
Not expired. The certificate’s validity period includes the current date.
•
Recognized certificate authority. The issuing certificate authority is included in the list of trusted
certificate authorities stored on the Web Security appliance.
certificate authorities stored on the Web Security appliance.
•
Valid signature. The digital signature was properly implemented based on cryptographic standards.
•
Consistent naming. The common name matches the hostname specified in the HTTP header.
•
Not revoked. The issuing certificate authority has not revoked the certificate.
Related Topics
•
•
•
•
Invalid Certificate Handling
The appliance can perform one of the following actions for invalid server certificates:
•
Drop.
•
Decrypt.
•
Monitor.