Cisco Cisco Web Security Appliance S170 사용자 가이드
12-11
Cisco IronPort AsyncOS 7.5.7 for Web User Guide
Chapter 12 Decryption Policies
Decrypting HTTPS Traffic
The mimicked certificate is the same as the server certificate except for the following fields:
•
Issuer. The issuer comes from the generated or uploaded root certificate configured in the appliance.
•
Signature Algorithm. This field is always “sha1WithRSAEncryption” or “dsaWithSHA1”
depending upon on whether the root certificate the appliance uses contains an RSA or DSA key.
depending upon on whether the root certificate the appliance uses contains an RSA or DSA key.
•
Public Key. The appliance replaces the public key in the original certificate with a public key it
generates that matches bit strength from the original certificate and for which it has a matching
private key generated as well. For example, if the server certificate uses a 2048 bit RSA key, the
appliance generates a new 2048 bit RSA key.
generates that matches bit strength from the original certificate and for which it has a matching
private key generated as well. For example, if the server certificate uses a 2048 bit RSA key, the
appliance generates a new 2048 bit RSA key.
•
X509v3 Extensions. All X509v3 extensions are removed except for the following:
–
Basic Constraints
–
Subject Alternative Name
–
Key Usage
–
Subject Key Identifier
–
Extended Key Usage
For example, the appliance removes the Authority Key Identifier and the Authority Information
Access X509v3 extensions.
Access X509v3 extensions.
Working with Root Certificates
The Web Security appliance mimics the HTTPS server to which a client originally sent a connection
request. In order to establish a secure connection with the client pretending to be the requested server,
the appliance must send a server certificate to the client signed by a root certificate authority configured
in the appliance.
request. In order to establish a secure connection with the client pretending to be the requested server,
the appliance must send a server certificate to the client signed by a root certificate authority configured
in the appliance.
When you enable the HTTPS Proxy on the appliance, you can configure the root certificate information
that the appliance uses to sign its server certificates. You can enter root certificate information in the
following ways:
that the appliance uses to sign its server certificates. You can enter root certificate information in the
following ways:
•
Generate. You can enter some basic organization information and then click a button so the
appliance generates the rest of the certificate and a private key. You might want to generate a
certificate and key when your organization does not have a certificate and key in use, or when it
wants to create a new and unique certificate and key.
appliance generates the rest of the certificate and a private key. You might want to generate a
certificate and key when your organization does not have a certificate and key in use, or when it
wants to create a new and unique certificate and key.
•
Upload. You can upload a certificate file and its matching private key file created outside of the
appliance. You might want to upload a certificate and key file if the clients on the network already
have the root certificates on their machines.
The certificate and key files you upload must be in PEM format. DER format is not supported. For
more information about convert a DER formatted certificate or key to PEM format, see
appliance. You might want to upload a certificate and key file if the clients on the network already
have the root certificates on their machines.
The certificate and key files you upload must be in PEM format. DER format is not supported. For
more information about convert a DER formatted certificate or key to PEM format, see
Note
The certificate you upload must contain “basicConstraints=CA:TRUE” to work with Mozilla
Firefox browsers. This constraint allows Firefox to recognize the root certificate as a trusted root
authority.
Firefox browsers. This constraint allows Firefox to recognize the root certificate as a trusted root
authority.
For more information about how to generate or upload a certificate and key, see