https://community.cisco.com/t5/network-security/ftd-fmc-ssl-decrypt-issue/m-p/4458366#M1083269 <P>I kinda wondered about that.&nbsp; Was just trying to make it so I didn't have to worry about having a PKI environment to do the testing.&nbsp; THanks!!!</P> Wed, 01 Sep 2021 16:20:31 GMT stamperbrian 2021-09-01T16:20:31Z https://community.cisco.com/t5/network-security/ftd-fmc-ssl-decrypt-issue/m-p/4458346#M1083267 <P>I am doing some testing in a lab environment with the SSL Decryption.&nbsp; Because its lab and I don't have an internal CA that the machines trust I ended up using a public signed certificate so all the clients would trust it.&nbsp; The FTD appears to be doing the re-assign just fine.&nbsp; However, every site I go to in any browser I get NET:ERR_CERT_INVALID.</P><P>Example:</P><P><A href="http://www.nfl.com" target="_blank" rel="noopener">www.nfl.com</A>&nbsp;normally uses encryption to protect your information.&nbsp; When Microsoft Edge tried to connect to <A href="http://www.nfl.com" target="_blank" rel="noopener">www.nfl.com</A>&nbsp;this time, the website sent back unusual and incorrect credentials....</P><P>&nbsp;</P><P>WHen I look at the certs in the browser:</P><P>I see my public cert that I put in and it states:</P><P>This certificate does not appear to be valid for the selected purpose.</P><P>&nbsp;</P><P>The rest of the cert path is fine and in tact/trusted.&nbsp;&nbsp;</P><P>&nbsp;</P><P>I'm probably trying to do something that doesn't work at all but figured it shouldn't matter what cert I use to resign with as long as the client machines trust it?</P> Wed, 01 Sep 2021 15:47:06 GMT https://community.cisco.com/t5/network-security/ftd-fmc-ssl-decrypt-issue/m-p/4458346#M1083267 stamperbrian 2021-09-01T15:47:06Z https://community.cisco.com/t5/network-security/ftd-fmc-ssl-decrypt-issue/m-p/4458365#M1083268 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/369402">@stamperbrian</a>&nbsp;</P> <P>If you are using a Public signed certificate, then that won't work. For SSL decryption you'll need a CA certficate which can re-sign certificates on the fly.</P> <P>&nbsp;</P> <P>Once configured and SSL decryption is working correctly, when you checked the certificate issued to a site, you'd see it was issued by your CA rather than the actual public CA.</P> <P>&nbsp;</P> <P>A public CA that signed your identity certificate is not going to give you a CA certificate, otherwise you'd be able to spoof any domain. You'd need to use an Internal CA (i.e Microsoft Windows Server CA).</P> <P>&nbsp;</P> <P>See <A href="https://www.cisco.com/c/en/us/td/docs/security/firepower/623/fdm/fptd-fdm-config-guide-623/fptd-fdm-certificates.html" target="_self">this link</A> for certificate types by feature.</P> <P>&nbsp;</P> <P>And <A href="https://integratingit.wordpress.com/2019/02/16/firepower-ssl-decryption/" target="_self">this link</A> to use Microsoft CA to issue the CA certificate to FMC for SSL decryption.</P> Wed, 01 Sep 2021 16:20:43 GMT https://community.cisco.com/t5/network-security/ftd-fmc-ssl-decrypt-issue/m-p/4458365#M1083268 Rob Ingram 2021-09-01T16:20:43Z https://community.cisco.com/t5/network-security/ftd-fmc-ssl-decrypt-issue/m-p/4458366#M1083269 <P>I kinda wondered about that.&nbsp; Was just trying to make it so I didn't have to worry about having a PKI environment to do the testing.&nbsp; THanks!!!</P> Wed, 01 Sep 2021 16:20:31 GMT https://community.cisco.com/t5/network-security/ftd-fmc-ssl-decrypt-issue/m-p/4458366#M1083269 stamperbrian 2021-09-01T16:20:31Z