Cisco Cisco Web Security Appliance S170 Guia Do Utilizador

The WSA and the ISE server(s) use certificates to mutually authenticate for successful connection. Thus, 
each certificate presented by one entity should be recognizable by other. For example, if the WSA’s 
Client certificate is self-signed, the same certificate must be present in the trusted certificates list on the 
appropriate ISE server(s). Correspondingly, if the WSA Client certificate is CA-signed, then the CA root 
certificate must be present on the appropriate ISE server(s). Similar requirements apply to the ISE 
server-related Admin and pxGrid certificates.

Certificate requirements and installation are described in 

. 

If you encounter certificate-related issues, check the following:

If using CA-signed certificates:

Verify that the root CA signing certificate(s) for the Admin and pxGrid certificates are present 
on the WSA.

Verify that the root CA signing certificate for the WSA Client certificate is present in the 
trusted-certificates list on the ISE server.

If using self-signed certificates:

Verify that the WSA Client certificate—generated on the WSA and downloaded—has been 
uploaded to the ISE server and is present in the ISE servers trusted-certificates list.

Verify that the ISE Admin and pxGrid certificates—generated on the ISE server and 
downloaded—have been uploaded to the WSA are present in the its certificate list.

Expired certificates:

Confirm that certificates which were valid when uploaded have not expired.

The following ISE-service log snippet shows a client-connection timeout due to a missing or 
invalid certificate.

These Trace-level log entries on the WSA show that after 30 seconds the attempts to connect to the ISE 
server are terminated.