Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1807
Views
0
Helpful
3
Replies

Cisco Firepower management center SSL Policy Configuration

M.Jallad
Level 1
Level 1

‎05-17-2017 06:26 AM - edited ‎03-10-2019 06:50 AM

Dears,

We have a deployment in which we have FMC version 6.2 manages 8000 series Firepower devices. We applied SSL policy to decrypt traffic for a specific Domain , say "*.mozilla.org" for example.

We first tried and created a self-signed certificate on FMC , and use it in the decrypt-resign SSL policy rule , and it worked successfully.

However, now we need to generate a new certificate using our CA. So we did the following :

1. Created new CSR from FMC and send it to CA admin.

2. Downloaded the CA certificate chain for the CA and imported it on FMC as trusted CA and used it inside the previously created SSL rule.

3. Enrolled the requested certificate from CA.

4. bind the enrolled certificate on FMC.

5. Modify the previously created SSL rule to use the new bound certificate.

6. save and deploy on FMC for the specific IPS device.

After doing the above procedure ; users were not able to access the specific domain in SSL rule.

Appreciate to share your opinion and experience on this,

Best Regards,

Muayad Jallad,

Labels:
0 Helpful
3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-17-2017 09:19 PM

To be used in an SSL policy ("decrypt and re-sign") you need a special type of X.509 certificate with those features enabled. The procedure you followed to get a certificate issued will not necessarily give you such a certificate.

Your CA must use a particular template in order to issue the certificate with those features. Can you check with your CA admin to see if that was taken into account?

0 Helpful

M.Jallad
Level 1
Level 1
In response to Marvin Rhoads

‎05-17-2017 09:19 PM

Hi Marvin,

Could please elaborate more on this as there is no enough documentation for this part in FMC guide  ; what type of certificate template need to be used on CA to sign FMC CSR.

Thanks,

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to M.Jallad

‎05-18-2017 02:17 AM

[@e-m-jallad]  ,

You're right this isn't really covered in the Configuration Guide. It's covered in some training but not in the published documentation. It is mentioned briefly in Cisco Live USA 2016 presentation BRKSEC-2042 (pages 59-60).

Fortunately there is a great free online resource at LabMinutes.com created by Metha Cheiwanichakorn that walks you through this step-by-step. Please see:

http://www.labminutes.com/sec0228_asa_firepower_60_ssl_decryption_2

The template that Metha recommends using is one for a Subordinate CA as it will include the key usage feature "certificate signing" in the issued certificate. You could also create a customer template as long as it included this key usage (as well as the standard "digital signature" for server certificate usage).

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card