Cisco Cisco Web Security Appliance S170 Guida Utente

The Web Security appliance also installs with a set of trusted root certificates. 
However, you can upload additional root certificates that the Web Proxy deems to 
be trusted. For more information about this, see 

.

Certificates can be valid or invalid. A certificate may be in invalid for different 
reasons. For example, the current time may be before or after the certificate 
validity period, the root authority in the certificate may not be recognized, or the 
Common Name of the certificate does not match the hostname specified in the 
HTTP “Host” header.

The Web Security appliance verifies that a server certificate is valid before it 
inspects and decrypts an HTTPS connection from a server. You can configure how 
the appliance handles connections to servers with invalid certificates. The 
appliance can perform one of the following actions for invalid server certificates:

Drop. The appliance drops the connection and does not notify the client. This 
is the most restrictive option.

Decrypt. The appliance allows the connection, but inspects the traffic 
content. It decrypts the traffic and applies Access Policies to the decrypted 
traffic as if it were a plaintext HTTP connection. For more information about 
how the appliance decrypts HTTPS traffic, see 

Monitor. The appliance does not drop the connection, and instead it 
continues comparing the server request with the Decryption Policy groups. 
This is the least restrictive option.

When an invalid server certificate is monitored, the errors in the 
certificate are maintained and passed along to the end-user.

For more information about configuring the appliance to handle invalid server 
certificates, see 

.