Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
178
Views
0
Helpful
5
Replies

Certificate on wsa

Vishal6
Level 2
Level 2

‎06-09-2025 01:58 AM

Hi All,

I have generated certificate from wsa appliance .pem format and same using on client machine under trusted root certificate. Can i use that certificate for https decryption or need to have CA signed or AD signed certificate.

Pls note- User identification has been configured using ip address.

Labels:
0 Helpful
5 Replies 5

lily75dom
Level 1
Level 1

‎06-09-2025 02:47 AM

When a client tries to connect to an HTTPS website, the WSA intercepts the request.
The WSA then establishes its own SSL/TLS connection with the actual website.
At the same same time, the WSA generates a spoofed certificate for the website and presents it to the client. This spoofed certificate is signed by the WSA's own "decryption CA" certificate.
If the client trusts this WSA decryption CA, it will accept the spoofed certificate, allowing the WSA to decrypt the traffic, inspect it,

targetpayandbenefits com
0 Helpful

Vishal6
Level 2
Level 2

‎06-09-2025 02:57 AM

Would my certificate sufficient to decrypt https traffic or i need to procure ca signed or ad signed

0 Helpful

Vishal6
Level 2
Level 2

‎06-09-2025 03:58 AM

I have enable decryption for enhance application control and found windows update getting failed. Removing that checkmark downloading starts. 

Pls note- I have generated certificate using generate new certificate and key and directly downloaded and installed in client machine. Attached snapshot for reference.

Vishal6_0-1749466545107.png

 

0 Helpful

amojarra
Cisco Employee
Cisco Employee

‎06-09-2025 06:34 AM

Hi @Vishal6 

I hope you are doing fine 

 

[1] when you generate the certificate form the WSA side, (Self sign) , you need to add that certificate in the trusted root CA of the client PC to make the decryption works with ouot any certificate Errors 

This link might be helpfull: 

https://www.cisco.com/c/en/us/support/docs/security/secure-web-appliance/220474-configure-decryption-certificate-in-secu.html

 

[2] in case you have a trusted CA and you need to sing the WSA's Certificate with that, you need to:

[2-1] Generate the CSR ( Certificate Signing Request) 

[2-2] Commit changes 

[2-3] Sign your certificate 

[2-4] Upload the signed certificate in the WSA
[2-5] commit again 

 

 

both options [1] and [2] are doable. 

 

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++     If you find this answer helpful, please rate it as such    ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

Regards,
Amirhossein Mojarrad
+++++++++++++++++++++++++++++++++++++++++++++++++++
++++ If you find this answer helpful, please rate it as such ++++
+++++++++++++++++++++++++++++++++++++++++++++++++++
0 Helpful

Vishal6
Level 2
Level 2

‎06-11-2025 04:45 AM

In my enviroment, option we are using, however we observed enhance decrytion not working properly with certificate generated from WSA and using it in client machine.

0 Helpful
Customers Also Viewed These Support Documents