Requirements for Certificate Security
Certificates that you use to ensure web traffic is secure must themselves meet some requirements regarding their security. If you use a certificate that does not meet these requirements to configure your web policy under Secure Web Gateway, you will receive an error message.
A default certificate for a certificate authority (CA) is provided for configuring SAML authentication and a customized CA certificate for configuring HTTPS scanning. We recommend replacing the customized CA certificate that is provided with a CA certificate of your own.
For example, when replacing this certificate, make sure that you meet the security requirements.
List of Requirements for Certificate Security
Here are the requirements for certificates used to ensure web traffic is secure. They need to:
-
Be available in .pem file format with separate files for a certificate and its key
-
Have a sha256, sha384, or sha512 signature issued by an RSA or EC certificate authority (CA)
- Be valid, which means the date when you use a certificate must lie within the range of dates specified for its validity
-
For RSA-signed certificates: Have a key with a size of 2048 bytes or more
-
Be of the CA or server certificate type, depending on what you are using a certificate for:
-
When using it to configure the settings of the HTTPS Connection feature configuration: CA
-
When using it to configure the settings of the HTTPS Connection - Reverse Proxy feature configuration: Server certificate
-
When using it to configure the settings for the Mobile Cloud Security (MCS) product: CA
-
No password protection can be configured for these certificates.
When configuring a certificate chain, the first four of the above requirements must be met for every certificate in the chain.