WSA Certificate Usage for HTTPS Decryption

Available Languages

Updated:June 11, 2014
Document ID:117792

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Introduction

This document describes the type of certificate that should be used for HTTPS decryption on a Cisco Web Security Appliance (WSA).

Certificate Overview

The WSA has the ability to use a current certificate and private key for use with HTTPS decryption. However, there might be confusion about the type of certificate that should be used, since not all x.509 certificates work.

There are two major types of certificates: Server certificates and Root certificates. All x.509 certificates contain a Basic Constraints field, which identifies the type of certificate:

  • Subject Type=End Entity - Server certificate

  • Subject Type=CA - Root certificate

Note: You must use a Root certificate, also referred to as a Certificate Authority (CA) Signing certificate, for HTTPS decryption on the WSA.

Root Certificates

A Root certificate is specifically created in order to sign server certificates. You can create and operate your own CA and sign your own server certificates.

Note: Since a Root certificate only signs other certificates, it cannot be used on a web server in order to perform HTTPS encryption and decryption.

The WSA must use a Root certificate in order to actively generate server certificates for HTTPS decryption. There are two options available for Root certificate usage:

  • Generate a root certificate on the WSA. The WSA creates its own Root certificate and private key, and it uses this key pair in order to sign Server certificates.

  • You can upload a current Root certificate and its private key into the WSA. The Common Name (CN) field in a Root certificate identifies the entity (typically a corporation name) that trusts any Server certificates that contain its signature.

Note: Before a Server certificate can be trusted, it must be signed by a Root certificate that has a public key present in the web browser.

Server Certificates

A Server certificate is specifically created in order to be used in HTTPS encryption and decryption and in order to verify the authenticity of a specific server. Server certificates are signed by a CA with use of the CA Root certificate. A common example of a CA is VeriSign or Thawte.

Note: A Server certificate cannot be used in order to sign other certificates; therefore, HTTPS decryption does not work if a Server certificate is installed on the WSA.

The CN field in a Server certificate specifies the host for which the certificate is intended to be used. For example, https://www.verisign.com uses a Server certificate with a CN of www.verisign.com.

Related Information 

Revision History

Revision Publish Date Comments
1.0
11-Jun-2014
Initial Release
TAC Authored

Contributed by Cisco Engineers

  • Josh Wolfer
    Cisco TAC Engineer.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products