Preview Tool

Cisco Bug: CSCzv05731 - Appliance is not replacing the expired intermediate certificate with...

Last Modified

Nov 12, 2016

Products (1)

  • Cisco Web Security Appliance

Known Affected Releases

7.1.3-014 7.1.4-000 7.5.0-000 7.5.1-000 7.7.0-000

Description (partial)

Cisco WSA Appliance is not replacing the expired Intermediate certificate with the updated intermediate certificate version (like browsers do).
Cisco WSA is using only the intermediate certificate originally provided by the client, ignoring imported, updated version, and dropping the request if HTTPS proxy is configured to block Expired certificates.

The issue happens only if the HTTPS site has the following certificate chain:  
1. Root certificate - valid ---> valid Intermediate certificate - expired but an updated version has been published by the CA and imported to the Trusted Root Certification Authorities. 
2. Server certificate - valid
3. WSA HTTPS proxy is configured to block sites with Expired certificates.
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.