https://community.cisco.com/t5/network-security/ssl-decrypt-issues-in-6-7-firepower/m-p/4188498#M1076108 Hi,<BR /><BR />Can you compare the certificate when there is an error and without the<BR />error.? Confirm that resignation is done both times by the same FTD. It<BR />doesn't seem the case. Also, confirm that the CN of the certificate in both<BR />cases to see that you are hitting the same destination server.<BR /><BR />If the error disappears after refresh, this is a good sign that you are not<BR />following the same path both times.<BR /><BR />***** please remember to rate useful posts<BR /> Wed, 25 Nov 2020 05:55:28 GMT Mohammed al Baqari 2020-11-25T05:55:28Z https://community.cisco.com/t5/network-security/ssl-decrypt-issues-in-6-7-firepower/m-p/4188175#M1076097 <P>Hello, I am wondering if anyone has tested the SSL Decrypt-resign function for DPI on their endpoints in 6.7? We are experiencing an odd behavior across multiple browsers using Win10 1809 that when you first load a web page you get a certificate error:&nbsp;<SPAN>NET::ERR_CERT_AUTHORITY_INVALID. After you refresh the page, however, the certificate message goes away. If I close and reopen Chrome, and try the same webpages that previously failed, I don't get any warning message. If I look at the certificate properties within Chrome, it shows my FTD as the "Issued by" which is the default or normal behavior.</SPAN></P> Tue, 24 Nov 2020 16:14:08 GMT https://community.cisco.com/t5/network-security/ssl-decrypt-issues-in-6-7-firepower/m-p/4188175#M1076097 ryan14 2020-11-24T16:14:08Z https://community.cisco.com/t5/network-security/ssl-decrypt-issues-in-6-7-firepower/m-p/4188498#M1076108 Hi,<BR /><BR />Can you compare the certificate when there is an error and without the<BR />error.? Confirm that resignation is done both times by the same FTD. It<BR />doesn't seem the case. Also, confirm that the CN of the certificate in both<BR />cases to see that you are hitting the same destination server.<BR /><BR />If the error disappears after refresh, this is a good sign that you are not<BR />following the same path both times.<BR /><BR />***** please remember to rate useful posts<BR /> Wed, 25 Nov 2020 05:55:28 GMT https://community.cisco.com/t5/network-security/ssl-decrypt-issues-in-6-7-firepower/m-p/4188498#M1076108 Mohammed al Baqari 2020-11-25T05:55:28Z https://community.cisco.com/t5/network-security/ssl-decrypt-issues-in-6-7-firepower/m-p/4190828#M1076284 <P>I looked at the SAN in the certificate properties window and it does match. It's the same behavior every time. If I go to newsite.com, I will get the error message on the very first time I try to load that page. Afterwards, any time I try to go to newsite.com, I never see any certificate errors. Even if I open a new browser and go to newsite.com, I don't get the error message. Its only the very first time I try and go to a new SSL protected website. This behavior did not happen in 6.4, 6.6 for us but started in 6.7. We had to go to 6.7 due to a bug in 6.6.1. If my traffic was taking a different path randomly, you would expect to see the certificate error at those random times it fails. But it is not that behavior. The sites and SSL decrypt policy work after the initial failure.</P> Mon, 30 Nov 2020 15:55:29 GMT https://community.cisco.com/t5/network-security/ssl-decrypt-issues-in-6-7-firepower/m-p/4190828#M1076284 ryan14 2020-11-30T15:55:29Z