Cisco Cisco Web Security Appliance S170 사용자 가이드

In 

, the certificate for the URL investing.schwab.com was signed by certificate authority 

“VeriSign Class 3 Extended Validation SSL CA,” which in turn was signed by certificate authority 
VeriSign. 

By definition, root certificates are always trusted by applications that follow the X.509 standard. The 
Web Security appliance uses the X.509 standard.

Standard web browsers ship with a set of trusted root certificates. The list of root certificates is updated 
regularly. You can view the root certificates installed on the web browser. 

For example, to view the root certificates installed with Mozilla Firefox 2.0, go to Tools > Options > 
Advanced > Encryption > View Certificates. To view the root certificates installed with Internet Explorer 
7, go to Tools > Internet Options > Content > Certificates > Trusted Root Certification Authorities.

In 

, the VeriSign certificate is a root certificate that shipped with the web browser.

The Web Security appliance also installs with a set of trusted root certificates. However, you can upload 
additional root certificates that the Web Proxy deems to be trusted. For more information about this, see 

.

Certificates can be valid or invalid. A certificate may be in invalid for different reasons. For example, 
the current time may be before or after the certificate validity period, the root authority in the certificate 
may not be recognized, or the Common Name of the certificate does not match the hostname specified 
in the HTTP “Host” header.

The Web Security appliance verifies that a server certificate is valid before it inspects and decrypts an 
HTTPS connection from a server. You can configure how the appliance handles connections to servers 
with invalid certificates. The appliance can perform one of the following actions for invalid server 
certificates: