Decryption is not working

bharat.bhushan.mehta — Tue, 18 Jul 2023 13:44:16 GMT

Hello Team,

Decryption is not happening on windows vm which is residing behind the cisco FTD,

I followed below steps for generate the certificate.

1. openssl genrsa -out server.key 4096

2. openssl req -new -key server.key -out server.csr

3. openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

4. Import CA manually, uploaded the ablove generated certificate and key.

5. Download the certificate from internal CA of FMC and installed on windows vm.

6. Created the SSL policy with decrypt-resign. but when i am trying to access any website from windows vm its giving me ssl error.

but in bowser certificate its showing the certificate which i installed.

Need your support here, what else needs to be done.

Thanks in advance

//Bharat

Re: Decryption is not working

Divya Jain — Fri, 11 Aug 2023 07:19:20 GMT

Hi Bharat,

If you elect to decrypt and re-sign traffic, the system acts as a man-in-the-middle.

For example, the user types in https://www.cisco.com in a browser. The traffic reaches the FTD device, the device then negotiates with the user using the CA certificate specified in the rule and builds an SSL tunnel between the user and the FTD device. At the same time the device connects to https://www.cisco.com and creates an SSL tunnel between the server and the FTD device.

Thus, the user sees the CA certificate configured for the SSL decryption rule instead of the certificate from www.cisco.com. The user must trust the certificate to complete the connection. The FTD device then performs decryption/re-encryption in both directions for traffic between the user and destination server.

If the client does not trust the CA used to re-sign the server certificate, it warns the user that the certificate should not be trusted. To prevent this, import the CA certificate into the client trusted CA store. Alternatively, if your organization has a private PKI, you can issue an intermediate CA certificate signed by the root CA which is automatically trusted by all clients in the organization, then upload that CA certificate to the device.

Please refer this link to check steps again : https://www.cisco.com/c/en/us/td/docs/security/firepower/623/fdm/fptd-fdm-config-guide-623/fptd-fdm-ssl-decryption.html

Also on FMC you can check for SSL events that will give you more details about the error which will help fix the config. If possible can you hsare that screenshot here?

-----------------------------------------
If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.

You can also learn more about Secure Firewall (formerly known as NGFW) through our live Ask the Experts (ATXs) session. Check out Cisco Network Security ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-network-security-ask-the-experts-resources/ta-p/4416493] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.
-----------------------------------------

Regards,

Divya Jain

topic Decryption is not working in Network Security

Decryption is not working

Re: Decryption is not working