When a user connects to a website using HTTPS, the session is encrypted with a digital certificate. When secure traffic inspection is enabled, Cisco Cloud Web Security forwards all self-signed, expired, invalid, and revoked certificates.
Secure traffic inspection decrypts and scans the HTTPS traffic passing through Cisco Cloud Web Security for threats and carries out actions based on your policy settings. If the traffic is deemed safe, it is re-encrypted and passed back to your organization with a new SSL certificate.
All users must have an SSL certificate deployed to their web browser. You can generate a certificate in Cisco ScanCenter with Cisco as the Certificate Authority (CA), or alternatively, download a Certificate Signing Request (CSR) and use it with a tool (such as Microsoft Certificate Services or OpenSSL) to generate and upload your own certificate (where your organization is the CA). The certificate is then associated with your secure traffic inspection policy.
When using a CSR, the following fields must be present in the certificate:
X509v3 Basic Constraints: CA:TRUE
With OpenSSL, the command
openssl x509 -extfile v3_ca.txt -req -days 365 -in scancenter.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out scancenter.crt performs this function, where v3_ca.txt contains the following:
subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always basicConstraints = CA:true
Two changes are required on the client:
- Proxy settings for SSL traffic must be configured in the client web browser or on your organization’s firewall or gateway device.
- The Cisco root certificate must be imported into the client web browser to enable it to trust SSL connections with Cisco Cloud
Browsers may automatically import the certificate to the Intermediate Certificate Authorities store. However, the certificate must be placed in the Trusted Root Certificate store for Secure Traffic Inspection to function correctly.