SSL Policy Trusted CA Certificates Tab

orkhan.rustamli.96 · ‎06-04-2019

Hi ALL,

In SSL Policy of Firepower there is "Trusted CA Certificates" tab which I have never seen being described in any Cisco documentation what is its importance. I mean all guide and configuration sample show implementing of SSL Policy without even touching that section. I wonder what is its importance?

Thanks in advance!

Marvin Rhoads · ‎06-04-2019

As noted in the configuration guide, "You can trust CAs by adding root and intermediate CA certificates to your SSL policy, then use these trusted CAs to verify server certificates used to encrypt traffic."

Basically it adds another layer of verification. As you observe, it is not mandatory.

orkhan.rustamli.96 · ‎06-06-2019

First of all, thank you, for your response.

As you mentioned it is not mandatory so this means as now it is configured in my policy, I am not using any CA certificate even my internal CA and it should not create any problem. I wonder what differences would be if I use them or let me clarify my question, what additional verifications can be done by using them. May you, please, provide any example?

Thanks in advance!

Marvin Rhoads · ‎06-07-2019

You could add a given CA into Trusted CAs so that Firepower will check that CA for a Certificate Revocation List (CRL) when decrypting traffic to a site with a certificate issued by that CA. If the certificate is found to have been revoked you could then block the traffic.

Your FMC online help provides some further examples. See:

https://<your FMC FQDN or IP>/help_files/index.html#!t_Matching_Traffic_on_Certificate_Status.html#ID-2255-0000065e