Cisco Cisco Web Security Appliance S680 Guía Del Usuario
11-8
AsyncOS 9.0 for Cisco Web Security Appliances User Guide
Chapter 11 Create Decryption Policies to Control HTTPS Traffic
Root Certificates
Step 1
Security Services > HTTPS Proxy.
Step 2
Click Edit Settings.
Step 3
Select Use Generated Certificate and Key.
Step 4
Click Generate New Certificate and Key.
Step 5
In the Generate Certificate and Key dialog box, enter the information to display in the root certificate.
You can enter any ASCII character except the forward slash ( / ) in the Common Name field.
Step 6
Click Generate.
Step 7
The generated certificate information is displayed on the Edit HTTPS Proxy Settings page.
Step 8
(Optional) Click Download Certificate so you can transfer it to the client applications on the network.
Step 9
(Optional) Click the Download Certificate Signing Request link. so you can submit the Certificate
Signing Request (CSR) to a certificate authority (CA).
Signing Request (CSR) to a certificate authority (CA).
Step 10
(Optional) Upload the signed certificate to the Web Security appliance after receiving it back from the
CA. You can do this at anytime after generating the certificate on the appliance.
CA. You can do this at anytime after generating the certificate on the appliance.
Step 11
Submit and Commit Changes.
Configuring Invalid Certificate Handling
Before you begin
•
Step 1
Security Services > HTTPS Proxy.
Step 2
Click Edit Settings.
Step 3
For each type of certificate error, define the proxy response, Drop, Decrypt or Monitor.
Certificate Error Type
Description
Expired
The current date falls outside of the range of validity for the certificate.
Mismatched hostname
The hostname in the certificate does not match the hostname the client was
trying to access.
trying to access.
Note
The Web Proxy can only perform hostname match when it is
deployed in explicit forward mode. When it is deployed in
transparent mode, it does not know the hostname of the destination
server (it only knows the IP address), so it cannot compare it to the
hostname in the server certificate.
deployed in explicit forward mode. When it is deployed in
transparent mode, it does not know the hostname of the destination
server (it only knows the IP address), so it cannot compare it to the
hostname in the server certificate.
Unrecognized root
authority/issuer
authority/issuer
Either the root authority or an intermediate certificate authority is
unrecognized.
unrecognized.
Invalid signing
certificate
certificate
There was a problem with the signing certificate.