Configure Certificates for Known Key and Re-Sign Decryption

If you implement decryption, either by re-signing or using known keys, you need to identify the certificates that the SSL decryption rules can use. Ensure that all certificates are valid and unexpired.

Especially for known-key decryption, you need to ensure that the system has the current certificate and key for each destination server whose connections you are decrypting. With a decrypt known key rule, you use the actual certificate and key from the destination server for decryption. Thus, you must ensure that the FDM-managed device has the current certificate and key at all times, or decryption will be unsuccessful.

Upload a new internal certificate and key whenever you change the certificate or key on the destination server in a known key rule. Upload them as an internal certificate (not an internal CA certificate). You can upload the certificate during the following procedure, or upload the certificate to the Objects page by clicking the button and selecting FTD > Certificate.

Procedure


Step 1

In the navigation pane, click Inventory.

Step 2

Click the Devices tab to locate the device or the Templates tab to locate the model device.

Step 3

Click the FTD tab and select the device for which you want to create the SSL policy and click Policy in the Management pane at the right.

Step 4

Click SSL Decryption in the policy bar.

Step 5

Click the certificate button in the SSL decryption policy policy bar.

Step 6

In the SSL Decryption Configuration dialog, click the Select Decrypt Re-Sign Certificate menu and select or create the internal CA certificate to use for rules that implement decryption with re-signed certificates. You can use the pre-defined NGFW-Default-InternalCA certificate, or one that you created or uploaded.

If you have not already installed the certificate in client browsers, click the download button to obtain a copy. See the documentation for each browser for information on how to install the certificate. Also see the Downloading the CA Certificate for Decrypt Re-Sign Rules section of the Security Policies chapter of the Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager for the version your device is running

Step 7

For each rule that decrypts using a known key, upload the internal certificate and key for the destination server.

Step 8

Click under Decrypt Known-Key Certificates.

Step 9

Select the internal identity certificate, or click Create New Internal Certificate to upload it now.

Step 10

Click Save.

Step 11

Review and deploy now the changes you made, or wait and deploy multiple changes at once.