06-04-2019 12:04 AM - edited 02-21-2020 09:11 AM
Hi ALL,
In SSL Policy of Firepower there is "Trusted CA Certificates" tab which I have never seen being described in any Cisco documentation what is its importance. I mean all guide and configuration sample show implementing of SSL Policy without even touching that section. I wonder what is its importance?
Thanks in advance!
06-04-2019 07:30 AM
As noted in the configuration guide, "You can trust CAs by adding root and intermediate CA certificates to your SSL policy, then use these trusted CAs to verify server certificates used to encrypt traffic."
Basically it adds another layer of verification. As you observe, it is not mandatory.
06-06-2019 10:15 PM - edited 06-06-2019 10:21 PM
First of all, thank you, for your response.
As you mentioned it is not mandatory so this means as now it is configured in my policy, I am not using any CA certificate even my internal CA and it should not create any problem. I wonder what differences would be if I use them or let me clarify my question, what additional verifications can be done by using them. May you, please, provide any example?
Thanks in advance!
06-07-2019 02:03 AM
You could add a given CA into Trusted CAs so that Firepower will check that CA for a Certificate Revocation List (CRL) when decrypting traffic to a site with a certificate issued by that CA. If the certificate is found to have been revoked you could then block the traffic.
Your FMC online help provides some further examples. See:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide