Cisco Cisco Web Security Appliance S170 사용자 가이드
11-3
Cisco IronPort AsyncOS 7.7 for Web User Guide
Chapter 11 Processing HTTPS Traffic
Certificates
Note
Cisco recommends creating fewer, more general Decryption Policy groups that apply to all users or
fewer, larger groups of users on the network. Then, if you need to apply more granular control to
decrypted HTTPS traffic, use more specific Access Policy groups. For more information about Access
Policy groups, see
fewer, larger groups of users on the network. Then, if you need to apply more granular control to
decrypted HTTPS traffic, use more specific Access Policy groups. For more information about Access
Policy groups, see
.
shows the order the Web Proxy uses when evaluating control settings for
Decryption Policies.
shows the order the Web Proxy uses when evaluating
control settings for Access Policies.
Certificates
The HTTPS proxy uses the root certificates and private key files that you upload to the appliance to
decrypt traffic. The root certificate and private key files you upload to the appliance must be in PEM
format.
decrypt traffic. The root certificate and private key files you upload to the appliance must be in PEM
format.
You can enter root certificate information in the following ways:
•
Generate. You can enter some basic organization information and then click a button so the
appliance generates the rest of the certificate and a private key. You might want to generate a
certificate and key when your organization does not have a certificate and key in use, or when it
wants to create a new and unique certificate and key.
appliance generates the rest of the certificate and a private key. You might want to generate a
certificate and key when your organization does not have a certificate and key in use, or when it
wants to create a new and unique certificate and key.
•
Upload. You can upload a certificate file and its matching private key file created outside of the
appliance. You might want to upload a certificate and key file if the clients on the network already
have the root certificates on their machines.
The certificate and key files you upload must be in PEM format. DER format is not supported. For
more information about converting a DER formatted certificate or key to PEM format, see
appliance. You might want to upload a certificate and key file if the clients on the network already
have the root certificates on their machines.
The certificate and key files you upload must be in PEM format. DER format is not supported. For
more information about converting a DER formatted certificate or key to PEM format, see
Note
Mozilla Firefox browsers: The certificate you upload must contain
“basicConstraints=CA:TRUE” to work with Mozilla Firefox browsers. This constraint allows
Firefox to recognize the root certificate as a trusted root authority.
“basicConstraints=CA:TRUE” to work with Mozilla Firefox browsers. This constraint allows
Firefox to recognize the root certificate as a trusted root authority.
For more information about how to generate or upload a certificate and key, see
However, typically, the root certificate information you generate or upload in the appliance is not listed
as a trusted root certificate authority in client applications. By default in most web browsers, when users
send HTTPS requests, they will see a warning message from the client application informing them that
there is a problem with the website’s security certificate. Usually, the error message says that the
website’s security certificate was not issued by a trusted certificate authority or the website was certified
by an unknown authority. Some other client applications do not show this warning message to users nor
allow users to accept the unrecognized certificate.
as a trusted root certificate authority in client applications. By default in most web browsers, when users
send HTTPS requests, they will see a warning message from the client application informing them that
there is a problem with the website’s security certificate. Usually, the error message says that the
website’s security certificate was not issued by a trusted certificate authority or the website was certified
by an unknown authority. Some other client applications do not show this warning message to users nor
allow users to accept the unrecognized certificate.
Note
You can also upload an intermediate certificate that has been signed by a root certificate authority. When
the Web Proxy mimics the server certificate, it sends the uploaded certificate along with the mimicked
certificate to the client application. That way, as long as the intermediate certificate is signed by a root
certificate authority that the client application trusts, the application will trust the mimicked server
the Web Proxy mimics the server certificate, it sends the uploaded certificate along with the mimicked
certificate to the client application. That way, as long as the intermediate certificate is signed by a root
certificate authority that the client application trusts, the application will trust the mimicked server