Cisco Cisco Web Security Appliance S190 Guía Del Usuario
11-9
AsyncOS 10.0 for Cisco Web Security Appliances User Guide
Chapter 11 Create Decryption Policies to Control HTTPS Traffic
Root Certificates
•
•
Invalid Certificate Handling
The appliance can perform one of the following actions for invalid server certificates:
•
Drop.
•
Decrypt.
•
Monitor.
Certificates that are Invalid for Multiple Reasons
For server certificates that are invalid due to both an unrecognized root authority and an expired
certificate, the HTTPS proxy performs the action that applies to unrecognized root authorities.
certificate, the HTTPS proxy performs the action that applies to unrecognized root authorities.
In all other cases, for server certificates that are invalid for multiple reasons simultaneously, the HTTPS
Proxy performs actions in order from the most restrictive action to the least restrictive action.
Proxy performs actions in order from the most restrictive action to the least restrictive action.
Untrusted Certificate Warnings for Decrypted Connections
When the Web Security appliance encounters an invalid certificate and is configured to decrypt the
connection, AsyncOS creates an untrusted certificate that requires the end-user to accept or reject the
connection. The common name of the certificate is “Untrusted Certificate Warning.”
connection, AsyncOS creates an untrusted certificate that requires the end-user to accept or reject the
connection. The common name of the certificate is “Untrusted Certificate Warning.”
Adding this untrusted certificate to the list of trusted certificates will remove the end user’s option to
accept or reject the connection.
accept or reject the connection.
When AsyncOS generates one of these certificates, it creates a proxy log entry with the text “Signing
untrusted key” or “Signing untrusted cert”.
untrusted key” or “Signing untrusted cert”.
Uploading a Root Certificate and Key
Before You Begin
•
Enable the HTTPS Proxy.
Step 1
Security Services > HTTPS Proxy.
Step 2
Click Edit Settings.
Step 3
Select Use Uploaded Certificate and Key.
Step 4
Click Browse for the Certificate field to navigate to the certificate file stored on the local machine.
If the file you upload contains multiple certificates or keys, the Web Proxy uses the first certificate or
key in the file.
key in the file.
Step 5
Click Browse for the Key field to navigate to the private key file.
Note
The key length must be 512, 1024, or 2048 bits.
Step 6
Select Key is Encrypted if the key is encrypted.
Step 7
Click Upload Files to transfer the certificate and key files to the Web Security appliance.