Re: Cisco FTD SSL with organisation own certificate

sv7 · ‎02-28-2022

Hi All,

Customer need to configure an SSL policy on Cisco FTd 2130 model but they are not going to use/generate Self signed or CSR Certificate for this requirement. It is possible that customer can use its own wild card certificate for ssl policy ?

Pls help

Rob Ingram · ‎02-28-2022

@sv7 You need a CA certificate for TLS decryption, as the FTD will perform a MiTM and spoof the certificate.

You would need a private CA, such as Microsoft for this purpose. You will need a CA signing authority certificate, no a typical identity certificate.

More information

https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/BRKSEC-3063.pdf

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/fdm/fptd-fdm-config-guide-623/fptd-fdm-ssl-decryption.html

Marvin Rhoads · ‎02-28-2022

Like Rob said - you need to issue a certificate-issuing certificate to FTD from your private CA if you want to decrypt outgoing traffic.

If you only want to decrypt and inspect incoming traffic to servers that use the wildcard (or other certificate) you can use that as long as you have the private key(s).

sv7 · ‎02-28-2022

Hi,

@Marvin Rhoads @Rob Ingram

As my understanding it clears that i have to generate CSR from Fmc and after it gets signed from CA Authority can use for SSL decryption.

Please correct if im wrong somwhere

Rob Ingram · ‎02-28-2022

@sv7 Here is a step by step guide, this should make things clearer for you.