Certificates for Internet Decryption
Certificates are required for secure internet access. Specifically, certificates are required to decrypt traffic in order to inspect it for threats, and to present notifications to end users when access is blocked or triggers a warning. Web security features and the intrusion prevention (IPS) feature all require decryption in order to be effective.
End-user devices that connect to resources through Secure Access must trust the connection with Secure Access. You must set up certificates to establish this trust.
For internet traffic, depending on the features you need, there are two ways for end-user devices to validate the certificate that Secure Access presents to end-user devices that connect to internet resources through Secure Access:
- You can install the self-signed Secure Access certificate into the browser trust stores of all end-user endpoint devices, or
- You can sign the Secure Access certificate using your corporate certificate authority (CA) so that it can be validated by an existing certificate in the trust store of end-user devices. This method also allows you to easily revoke the certificate if needed, without having to update all end-user devices.
Table of Contents
Certificates for Displaying Notifications
You can use only this method:
Certificates for Decrypting Internet Traffic
You can use either of these methods:
- Option 1: Distribute Self-Signed Certificates to End-User Devices
- Option 2: Use a Signed Certificate
Option 1: Distribute Self-Signed Certificates to End-User Devices
Prerequisites
- Full Admin user role. For more information, see Manage Accounts.
Procedure
- Navigate to Secure > Settings > Certificates and click the Internet Decryption tab.
- Expand Secure Access self-signed certificate.
- Download the Secure Access certificate.
- Install the downloaded certificate in the trust store of all devices in your organization.
For more information, see Certificate Installation Methods.
Identify the certificate
The SHA1 hash of the file uniquely identifies the certificate file; you can use it to determine whether a file is this file, and whether the file has been modified from the original.
Option 2: Use a Signed Certificate for Decrypting Internet Traffic
If your organization's managed devices already have the root certificate required to validate certificates signed by your corporate certificate authority (CA), you can sign the Secure Access certificate with your corporate CA, instead of installing the Secure Access self-signed certificate on every end-user device. This certificate cannot be used to display notifications. For more information, see Add Customer CA Signed Root Certificate.
Manage Certificates < Certificates for Internet Decryption > Install the Cisco Secure Access Root Certificate
Updated 12 months ago