Cisco Cisco Web Security Appliance S680 Guía Del Usuario
11-8
AsyncOS 10.0 for Cisco Web Security Appliances User Guide
Chapter 11 Create Decryption Policies to Control HTTPS Traffic
Root Certificates
•
Upload. You can upload a certificate file and its matching private key file created outside of
the appliance.
the appliance.
Note
You can also upload an intermediate certificate that has been signed by a root certificate authority. When
the Web Proxy mimics the server certificate, it sends the uploaded certificate along with the mimicked
certificate to the client application. That way, as long as the intermediate certificate is signed by a root
certificate authority that the client application trusts, the application will trust the mimicked server
certificate, too. See
the Web Proxy mimics the server certificate, it sends the uploaded certificate along with the mimicked
certificate to the client application. That way, as long as the intermediate certificate is signed by a root
certificate authority that the client application trusts, the application will trust the mimicked server
certificate, too. See
for more information.
You can choose how to handle the root certificates issued by the Web Security appliance:
•
Inform users to accept the root certificate. You can inform the users in your organization what the
new policies are at the company and tell them to accept the root certificate supplied by the
organization as a trusted source.
new policies are at the company and tell them to accept the root certificate supplied by the
organization as a trusted source.
•
Add the root certificate to client machines. You can add the root certificate to all client machines
on the network as a trusted root certificate authority. This way, the client applications automatically
accept transactions with the root certificate.
on the network as a trusted root certificate authority. This way, the client applications automatically
accept transactions with the root certificate.
Step 1
Security Services > HTTPS Proxy.
Step 2
Click Edit Settings.
Step 3
Click the Download Certificate link for either the generated or uploaded certificate.
Note
To reduce the possibility of client machines getting a certificate error, submit the changes after you
generate or upload the root certificate to the Web Security appliance, then distribute the certificate to
client machines, and then commit the changes to the appliance.
generate or upload the root certificate to the Web Security appliance, then distribute the certificate to
client machines, and then commit the changes to the appliance.
Managing Certificate Validation and Decryption for HTTPS
The Web Security appliance validates certificates before inspecting and decrypting content.
Valid Certificates
Qualities of a valid certificate:
•
Not expired. The certificate’s validity period includes the current date.
•
Recognized certificate authority. The issuing certificate authority is included in the list of trusted
certificate authorities stored on the Web Security appliance.
certificate authorities stored on the Web Security appliance.
•
Valid signature. The digital signature was properly implemented based on cryptographic standards.
•
Consistent naming. The common name matches the hostname specified in the HTTP header.
•
Not revoked. The issuing certificate authority has not revoked the certificate.
Related Topics
•
•