Certificates for Internet Decryption

Certificates are required for secure internet access. Specifically, certificates are required to decrypt traffic in order to inspect it for threats, and to present notifications to end users when access is blocked or triggers a warning. Web security features and the intrusion prevention (IPS) feature all require decryption in order to be effective.

End-user devices that connect to resources through Secure Access must trust the connection with Secure Access. You must set up certificates to establish this trust.

For internet traffic, depending on the features you need, there are two ways for end-user devices to validate the certificate that Secure Access presents to end-user devices that connect to internet resources through Secure Access:

  1. You can install the self-signed Secure Access certificate into the browser trust stores of all end-user endpoint devices, or
  2. You can sign the Secure Access certificate using your corporate certificate authority (CA) so that it can be validated by an existing certificate in the trust store of end-user devices. This method also allows you to easily revoke the certificate if needed, without having to update all end-user devices.

Table of Contents

Certificates for Displaying Notifications

You can use only this method:

Certificates for Decrypting Internet Traffic

You can use either of these methods:

Option 1: Distribute Self-Signed Certificates to End-User Devices



  1. Navigate to Secure > Settings > Certificates and click the Internet Decryption tab.
  2. Expand Secure Access self-signed certificate.
  1. Download the Secure Access certificate.
  2. Install the downloaded certificate in the trust store of all devices in your organization.
    For more information, see Certificate Installation Methods.

Identify the certificate

The SHA1 hash of the file uniquely identifies the certificate file; you can use it to determine whether a file is this file, and whether the file has been modified from the original.

Option 2: Use a Signed Certificate for Decrypting Internet Traffic

If your organization's managed devices already have the root certificate required to validate certificates signed by your corporate certificate authority (CA), you can sign the Secure Access certificate with your corporate CA, instead of installing the Secure Access self-signed certificate on every end-user device. This certificate cannot be used to display notifications. For more information, see Add Customer CA Signed Root Certificate.

Manage Certificates < Certificates for Internet Decryption > Install the Cisco Secure Access Root Certificate