https://community.cisco.com/t5/network-security/ssl-decryption-for-asa-5516x-with-firepower/m-p/3230331#M1010987 <P>What do you mean with 3rd party? It can *not* be done with a certificate that you purchase from a public CA. You need a certificate that has the basic constraints set so that you can issue certificates. You only get this with a self-signed certificate or from&nbsp;a private CA. In both cases, the local self-signed or the private root-certificate needs to be trusted by the clients. These certificates are completely unrelated to your AD.</P> Mon, 11 Dec 2017 19:00:30 GMT Karsten Iwen 2017-12-11T19:00:30Z https://community.cisco.com/t5/network-security/ssl-decryption-for-asa-5516x-with-firepower/m-p/3230194#M1010656 <P>Hi,</P> <P>Is it possible to configure SSL decryption to inspect the traffic using 3rd party certificate ? I aim having 6 different AD trees behind this firewall with about 500 users.&nbsp;</P> <P>Also is this unit good enough support SSL decryption?&nbsp;</P> <P>Thanks</P> <P>Charles</P> Fri, 21 Feb 2020 14:56:22 GMT https://community.cisco.com/t5/network-security/ssl-decryption-for-asa-5516x-with-firepower/m-p/3230194#M1010656 charles_nana 2020-02-21T14:56:22Z https://community.cisco.com/t5/network-security/ssl-decryption-for-asa-5516x-with-firepower/m-p/3230240#M1010660 <P>You can use 3rd party certificate for SSL decryption on the firepower.</P> <P>SSL decryption on an ASA with firepower can have a performance decrease of up to 80%, because it is done in software.</P> <P>The new Firepower models 4100 and 9000 do it in hardware and should have a much better performance.</P> Mon, 11 Dec 2017 16:11:31 GMT https://community.cisco.com/t5/network-security/ssl-decryption-for-asa-5516x-with-firepower/m-p/3230240#M1010660 Bogdan Nita 2017-12-11T16:11:31Z https://community.cisco.com/t5/network-security/ssl-decryption-for-asa-5516x-with-firepower/m-p/3230245#M1010662 <P>Thank you for your reply.</P> Mon, 11 Dec 2017 16:16:20 GMT https://community.cisco.com/t5/network-security/ssl-decryption-for-asa-5516x-with-firepower/m-p/3230245#M1010662 charles_nana 2017-12-11T16:16:20Z https://community.cisco.com/t5/network-security/ssl-decryption-for-asa-5516x-with-firepower/m-p/3230331#M1010987 <P>What do you mean with 3rd party? It can *not* be done with a certificate that you purchase from a public CA. You need a certificate that has the basic constraints set so that you can issue certificates. You only get this with a self-signed certificate or from&nbsp;a private CA. In both cases, the local self-signed or the private root-certificate needs to be trusted by the clients. These certificates are completely unrelated to your AD.</P> Mon, 11 Dec 2017 19:00:30 GMT https://community.cisco.com/t5/network-security/ssl-decryption-for-asa-5516x-with-firepower/m-p/3230331#M1010987 Karsten Iwen 2017-12-11T19:00:30Z https://community.cisco.com/t5/network-security/ssl-decryption-for-asa-5516x-with-firepower/m-p/3230685#M1010989 <P>Hi Karsten,</P> <P>Thank you for pointing that out. I usually hear <SPAN>3rd party certificate&nbsp;</SPAN>when referring to certificates issued by private CAs and my above answer was based on that.</P> Tue, 12 Dec 2017 10:20:41 GMT https://community.cisco.com/t5/network-security/ssl-decryption-for-asa-5516x-with-firepower/m-p/3230685#M1010989 Bogdan Nita 2017-12-12T10:20:41Z https://community.cisco.com/t5/network-security/ssl-decryption-for-asa-5516x-with-firepower/m-p/3230830#M1010990 <P>Hi,</P> <P>What I wanted to know was whether I can use a certificate purchased from a CA like Godaddy. As I don't want to maintain a CA in house.</P> <P>&nbsp;</P> <P>Thanks</P> <P>Charles</P> Tue, 12 Dec 2017 14:15:09 GMT https://community.cisco.com/t5/network-security/ssl-decryption-for-asa-5516x-with-firepower/m-p/3230830#M1010990 charles_nana 2017-12-12T14:15:09Z https://community.cisco.com/t5/network-security/ssl-decryption-for-asa-5516x-with-firepower/m-p/3230842#M1010991 As already mentioned: No, you can't! Tue, 12 Dec 2017 14:27:35 GMT https://community.cisco.com/t5/network-security/ssl-decryption-for-asa-5516x-with-firepower/m-p/3230842#M1010991 Karsten Iwen 2017-12-12T14:27:35Z https://community.cisco.com/t5/network-security/ssl-decryption-for-asa-5516x-with-firepower/m-p/3230868#M1010993 <P>Public CAs, like Godaddy will not sign certificates that can be used in man in the middle SSL decryption.</P> <P>The options for certificates used for SSL decryption are self-signed or&nbsp;enterprise CA-signed certificate.</P> <P>Sorry for misunderstanding your original question.</P> Tue, 12 Dec 2017 14:46:18 GMT https://community.cisco.com/t5/network-security/ssl-decryption-for-asa-5516x-with-firepower/m-p/3230868#M1010993 Bogdan Nita 2017-12-12T14:46:18Z https://community.cisco.com/t5/network-security/ssl-decryption-for-asa-5516x-with-firepower/m-p/3231012#M1010996 <P>Hi Bogdan,</P> <P>Thanks for your reply. If I have to use self-signed or enterprise CA-signed certificate, those will not be trusted by the non-domain devices like phones and tablets. Any suggestions on how to deliver these certificates to non-domain devices?</P> <P>&nbsp;</P> Tue, 12 Dec 2017 17:58:15 GMT https://community.cisco.com/t5/network-security/ssl-decryption-for-asa-5516x-with-firepower/m-p/3231012#M1010996 charles_nana 2017-12-12T17:58:15Z https://community.cisco.com/t5/network-security/ssl-decryption-for-asa-5516x-with-firepower/m-p/3231020#M1010999 That is typically done with the mobile device management. Tue, 12 Dec 2017 18:12:54 GMT https://community.cisco.com/t5/network-security/ssl-decryption-for-asa-5516x-with-firepower/m-p/3231020#M1010999 Karsten Iwen 2017-12-12T18:12:54Z