Cisco Cisco Web Security Appliance S170 사용자 가이드
W O R K I N G W I T H R O O T C E R T I F I C A T E S
C H A P T E R 1 0 : D E C R Y P T I O N P O L I C I E S
193
• Basic Constraints
• Subject Alternative Name
• Key Usage
• Subject Key Identifier
• Extended Key Usage
For example, the appliance removes the Authority Key Identifier and the Authority
Information Access X509v3 extensions.
Information Access X509v3 extensions.
Working with Root Certificates
The Web Security appliance mimics the HTTPS server to which a client originally sent a
connection request. In order to establish a secure connection with the client pretending to be
the requested server, the appliance must send a server certificate to the client signed by a root
certificate authority configured in the appliance.
connection request. In order to establish a secure connection with the client pretending to be
the requested server, the appliance must send a server certificate to the client signed by a root
certificate authority configured in the appliance.
When you enable HTTPS scanning on the appliance, you can configure the root certificate
information that the appliance uses to sign its server certificates. You can enter root certificate
information in the following ways:
information that the appliance uses to sign its server certificates. You can enter root certificate
information in the following ways:
• Generate. You can enter some basic organization information and then click a button so
the appliance generates the rest of the certificate and a matching key. You might want to
generate a certificate and key when your organization does not have a certificate and key
in use, or when it wants to create a new and unique certificate and key.
generate a certificate and key when your organization does not have a certificate and key
in use, or when it wants to create a new and unique certificate and key.
• Upload. You can upload a certificate file and its matching key file created outside of the
appliance. You might want to upload a certificate and matching key file if the clients on
the network already have the root certificates on their machines.
The certificate and key files you upload must be in PEM format. DER format is not
supported. For more information about convert a DER formatted certificate or key to PEM
format, see “Converting Certificate and Key Formats” on page 195.
the network already have the root certificates on their machines.
The certificate and key files you upload must be in PEM format. DER format is not
supported. For more information about convert a DER formatted certificate or key to PEM
format, see “Converting Certificate and Key Formats” on page 195.
Note — The certificate you upload must contain “basicConstraints=CA:TRUE” to work
with Mozilla Firefox browsers. This constraint allows Firefox to recognize the root
certificate as a trusted root authority.
with Mozilla Firefox browsers. This constraint allows Firefox to recognize the root
certificate as a trusted root authority.
For more information about how to generate or upload a certificate and key, see “Enabling
HTTPS Scanning” on page 197.
HTTPS Scanning” on page 197.
However, typically, the root certificate information you generate or upload in the appliance is
not listed as a trusted root certificate authority in client applications. By default, when users
send HTTPS requests, they will see a warning message from the client application informing
them that there is a problem with the website’s security certificate. Usually, the error message
says that the website’s security certificate was not issued by a trusted certificate authority or
the website was certified by an unknown authority.
not listed as a trusted root certificate authority in client applications. By default, when users
send HTTPS requests, they will see a warning message from the client application informing
them that there is a problem with the website’s security certificate. Usually, the error message
says that the website’s security certificate was not issued by a trusted certificate authority or
the website was certified by an unknown authority.
Note — You can also upload an intermediate certificate that has been signed by a root
certificate authority. When the Web Proxy mimics the server certificate, it sends the uploaded
certificate authority. When the Web Proxy mimics the server certificate, it sends the uploaded