Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
292
Views
1
Helpful
1
Replies

Decryption is not working

bharat.bhushan.mehta
Level 1
Level 1

‎07-18-2023 06:44 AM

Hello Team,

Decryption is not happening on windows vm which is residing behind the cisco FTD,

I followed below steps for generate the certificate.

1. openssl genrsa -out server.key 4096

2. openssl req -new -key server.key -out server.csr

3. openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

4. Import CA manually, uploaded the ablove generated certificate and key.

5. Download the certificate from internal CA of FMC and installed on windows vm.

6. Created the SSL policy with decrypt-resign. but when i am trying to access any website from windows vm its giving me ssl error.

but in bowser certificate its showing the certificate which i installed.

Need your support here, what else needs to be done.

Thanks in advance

//Bharat

 

 

 

1 Reply 1

Divya Jain
Cisco Employee
Cisco Employee

‎08-11-2023 12:19 AM

Hi Bharat,


If you elect to decrypt and re-sign traffic, the system acts as a man-in-the-middle.

 

For example, the user types in https://www.cisco.com in a browser. The traffic reaches the FTD device, the device then negotiates with the user using the CA certificate specified in the rule and builds an SSL tunnel between the user and the FTD device. At the same time the device connects to https://www.cisco.com and creates an SSL tunnel between the server and the FTD device.

 

Thus, the user sees the CA certificate configured for the SSL decryption rule instead of the certificate from www.cisco.com. The user must trust the certificate to complete the connection. The FTD device then performs decryption/re-encryption in both directions for traffic between the user and destination server.



If the client does not trust the CA used to re-sign the server certificate, it warns the user that the certificate should not be trusted. To prevent this, import the CA certificate into the client trusted CA store. Alternatively, if your organization has a private PKI, you can issue an intermediate CA certificate signed by the root CA which is automatically trusted by all clients in the organization, then upload that CA certificate to the device.

Please refer this link to check steps again : https://www.cisco.com/c/en/us/td/docs/security/firepower/623/fdm/fptd-fdm-config-guide-623/fptd-fdm-ssl-decryption.html

Also on FMC you can check for SSL events that will give you more details about the error which will help fix the config. If possible can you hsare that screenshot here?
 

 

 

 

-----------------------------------------
If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.

You can also learn more about Secure Firewall (formerly known as NGFW) through our live Ask the Experts (ATXs) session. Check out Cisco Network Security ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-network-security-ask-the-experts-resources/ta-p/4416493] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.
-----------------------------------------

 

 

 

 

 

 

Regards,

Divya Jain

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card