This document describes the type of certificate that should be used for HTTPS decryption on a Cisco Web Security Appliance (WSA).
The WSA has the ability to use a current certificate and private key for use with HTTPS decryption. However, there might be confusion about the type of certificate that should be used, since not all x.509 certificates work.
There are two major types of certificates: Server certificates and Root certificates. All x.509 certificates contain a Basic Constraints field, which identifies the type of certificate:
Subject Type=End Entity - Server certificate
Subject Type=CA - Root certificate
Note: You must use a Root certificate, also referred to as a Certificate Authority (CA) Signing certificate, for HTTPS decryption on the WSA.
A Root certificate is specifically created in order to sign server certificates. You can create and operate your own CA and sign your own server certificates.
Note: Since a Root certificate only signs other certificates, it cannot be used on a web server in order to perform HTTPS encryption and decryption.
The WSA must use a Root certificate in order to actively generate server certificates for HTTPS decryption. There are two options available for Root certificate usage:
Generate a root certificate on the WSA. The WSA creates its own Root certificate and private key, and it uses this key pair in order to sign Server certificates.
You can upload a current Root certificate and its private key into the WSA. The Common Name (CN) field in a Root certificate identifies the entity (typically a corporation name) that trusts any Server certificates that contain its signature.
Note: Before a Server certificate can be trusted, it must be signed by a Root certificate that has a public key present in the web browser.
A Server certificate is specifically created in order to be used in HTTPS encryption and decryption and in order to verify the authenticity of a specific server. Server certificates are signed by a CA with use of the CA Root certificate. A common example of a CA is VeriSign or Thawte.
Note: A Server certificate cannot be used in order to sign other certificates; therefore, HTTPS decryption does not work if a Server certificate is installed on the WSA.
The CN field in a Server certificate specifies the host for which the certificate is intended to be used. For example, https://www.verisign.com uses a Server certificate with a CN of www.verisign.com.