topic Re: SSL Decryption using certificate generated from Active Directory C in Network Security

SSL Decryption using certificate generated from Active Directory CA?

davparker — Wed, 26 Jun 2024 22:04:35 GMT

I have not been able to find any good documentation on how to generate/install a certificate issued by an Active Directory CA for use with SSL Decryption policy. I've read through the config guides for 7.2x. It seems like this would be an incredibly common scenario. Any help would be appreciated.

Thanks - David

Re: SSL Decryption using certificate generated from Active Directory C

Rob Ingram — Wed, 26 Jun 2024 22:17:00 GMT

@davparker try this guide https://integratingit.wordpress.com/2019/02/16/firepower-ssl-decryption/

When signing the CSR make sure the certificate template selected is the Subordinate Root Authority.

Re: SSL Decryption using certificate generated from Active Directory C

MHM Cisco World — Wed, 26 Jun 2024 22:20:50 GMT

https://integratingit.wordpress.com/2019/02/16/firepower-ssl-decryption/

https://www.youtube.com/watch?v=tAIdcZ3EBiw&t=207s

check these link

MHM

Re: SSL Decryption using certificate generated from Active Directory C

davparker — Thu, 27 Jun 2024 14:41:36 GMT

Thanks. My PKI person is asking about the compatibility settings on Subordinate Certificate Authority Template used to generate the certificate for the following fields:

Certificate Authority
Certificate Recipient

Our AD servers are at ver 2016. Any thoughts?

Re: SSL Decryption using certificate generated from Active Directory C

Rob Ingram — Thu, 27 Jun 2024 15:14:50 GMT

@davparker the standard Microsoft Sub CA template will suffice. They could duplicate the existing template (without modifications) if they wish.

Re: SSL Decryption using certificate generated from Active Directory C

davparker — Thu, 27 Jun 2024 20:51:24 GMT

Very nice! Decryption is now working. Now trying to figure out what not to decrypt prior to enabling it for more resources.

Re: SSL Decryption using certificate generated from Active Directory C

Rob Ingram — Thu, 27 Jun 2024 20:58:06 GMT

@davparker glad to hear it's working.

FYI, SSL decryption is expensive on resources, so I would be selective on what you decrypt, don't decrypt everything.

Re: SSL Decryption using certificate generated from Active Directory C

MHM Cisco World — Thu, 27 Jun 2024 21:20:32 GMT

I think you need to config decrypt known key i.e. the server inside your network
so using it IP to filter which traffic need to decrypt
if you allow all traffic your traffic will start drop

MHM

Re: SSL Decryption using certificate generated from Active Directory C

davparker — Thu, 27 Jun 2024 22:02:03 GMT

All our Internet exposed servers are in external data centers. We basically have no inbound rules other than what is needed for VPN. I plan on excluding traffic from decryption for our common domains where most our business apps reside. Also excluding stuff like WebEx and Teams. Also for What categories of web traffic do people typically decrypt traffic for?

Re: SSL Decryption using certificate generated from Active Directory C

davparker — Tue, 02 Jul 2024 18:16:09 GMT

FYI,

I found this resource to be very helpful when trying to figure out what to decrypt vs DND. BRKSEC-3063 (ciscolive.com)