Cisco Cisco Web Security Appliance S670 Mode D'Emploi

Submit and Commit Changes.

To determine whether the issuing certificate authority has revoked a certificate, the Web Security 
appliance can check with the issuing certificate authority in these ways:

Certificate Revocation List (Comodo certificates only). The Web Security appliance checks 
Comodo’s certificate revocation list. Comodo maintains this list, updating it according to their own 
policies. Depending on when it was last updated, the certificate revocation list may be out of date at 
the time the Web Security appliance checks it.

Online Certificate Status Protocol (OCSP). The Web Security appliance checks the revocation 
status with the issuing certificate authority in real time. If the issuing certificate authority supports 
OCSP, the certificate will include a URL for real-time status checking. This feature is enabled by 
default for fresh installations and disabled by default for updates.

The Web Security appliance only performs the OCSP query for certificates that it determines to be valid 
in all other respects and that include the OCSP URL. 

Ensure the HTTPS Proxy is enabled. See 

Security Services > HTTPS Proxy.

Click Edit Settings.

Select Enable Online Certificate Status Protocol (OCSP).

Configure the OCSP Result Handling properties,

Cisco recommends configuring the OCSP Result Handling options to the same actions as Invalid 
Certificate Handling options. For example, if you set Expired Certificate to Monitor, configure Revoked 
Certificate to monitor. 

Invalid leaf certificate

There was a problem with the leaf certificate, for example, a rejection, 
decoding, or mismatch problem.

All other error types

Most other error types are due to the appliance not being able to complete 
the SSL handshake with the HTTPS server. For more information about 
additional error scenarios for server certificates, see 
http://www.openssl.org/docs/apps/verify.html.