When a Cisco Umbrella web proxy is configured for decryption of HTTPS communication, the expiration date and time of the certificates received from the proxy will typically be within ten days of the present date and time. This is a security feature and requires no end-user action. Renewal will be automatic.
Certificate lifetimes with proxy decryption
When web clients send HTTPS communication (HTTP requests encrypted with TLS) through the Umbrella Secure Web Gateway (SWG) proxy or the Intelligent Proxy (IP), and the proxy is configured to decrypt HTTPS communication, the proxy re-writes the leaf certificate belonging to the server, and replaces any intermediate certificates also sent by the server with Cisco intermediate certificates. This certificate chain replacement is the standard technique by which web proxies perform decryption of requests and responses that are encrypted in TLS.
The new leaf and intermediate certificates are created dynamically. When viewing the Not Before and Not After dates in the certificates, typically the certificates will be issued with short lifetimes of not more than ten days, as an enhanced security measure. Renewal will be automatic, requiring no end-user action.
For example, in the images below retrieved on April 8th, 2023, the leaf certificate from example.com has a Validity Not After date of April 11th, 2023 (3 days of validity remaining).
Similarly, the first intermediate certificate in the chain, the Cisco Umbrella Secondary SubCA certificate, has a Validity Not After (expiration) date of April 17th, 2023.
The Not Before and Not After dates of certificates in the chain will typically not be identical, as creation times vary depending on the retrieval of each certificate across all users of the proxy instance.
Note: Short-lived certificate issuance does not apply to either of:
- the Cisco Umbrella Root CA root certificate (seen when using the default configuration)
- the Cisco Umbrella Customers CA intermediate certificate (seen when using Customer CA Signed Certificates)
In either configuration, the aforementioned certificates will have longer validity periods.