Trusting External Certificate Authorities
You can trust CAs by adding root and intermediate CA certificates to your decryption policy, then use these trusted CAs to verify server certificates used to encrypt traffic.
If a trusted CA certificate contains an uploaded certificate revocation list (CRL), you can also verify whether a trusted CA revoked the encryption certificate.
Tip | Upload all certificates in a root CA’s chain of trust to the list of trusted CA certificates, including the root CA certificate and all intermediate CA certificates. Otherwise, it is more difficult to detect trusted certificates issued by intermediate CAs. Also, if you configure certificate status conditions to trust traffic based on the root issuer CA, all traffic within a trusted CA’s chain of trust can be allowed without decryption, rather than unnecessarily decrypting it. For more information, see Trusted CA Object. |
Note | When you create a decryption policy, the policy's Trusted CA Certificate tab page is populated with several trusted CA certificates, including the Cisco-Trusted-Authorities group, which is added to the Select Trusted CAs list. |
Procedure
Step 1 | Click . | ||
Step 2 | Click Edit ( | ||
Step 3 | Click Add Rule to add a new decryption rule or click Edit ( | ||
Step 4 | Click the Certificates tab. | ||
Step 5 | Find the trusted CAs you want to add from the Available Certificates, as follows:
| ||
Step 6 | To select an object, click it. To select all objects, right-click and then Select All. | ||
Step 7 | Click Add to Rule.
| ||
Step 8 | Add or continue editing the rule. |
What to do next
-
Add a certificate status decryption rule condition to your SSL rule. See Matching Traffic on Certificate Status for more information.
-
Deploy configuration changes.