Solved: FirePOWER SSL Decryption using Wildcard Certificate

Nicholas Copeland · ‎03-29-2017

Does anyone know if wildcard certificates are supported for SSL decryption? I can install the wildcard certificate but into the FMC but when I use it in my SSL policy I receive certificate errors when going to HTTPS sites. The wildcard cert is signed by DigiCert which is a globally trusted CA. I am using the same certificate on an existing websense appliance without any issues.

If I use a Self-Signed certificate on the FMC and install the certificate on my device I don't have the issue. But that isn't an option as not all devices that will be inspected are company owned and can have the certificate installed.

Any advice would be appreciated.

jameever · ‎03-29-2017

The short answer:

You must use an internal Self-Signed certificate for Decrypt Re-sign, any non-company owned computer will need to trust your Root CA before being allowed on the network to avoid certificate errors.

These wildcard certificates can be used to protect internal servers with Decrypt Known Key.

The long answer:

It is not possible to use wildcard certificates signed by globally trusted CA(DigiCert for example) for Decrypt Resign for internet traffic. The reason behind this is DigiCert provided you a wildcard for *.yourdomain.com, assuming your certificate has permissions to sign new certificates and not a simple server certificate, when the sensor uses that certificate to sign new certificates, the certificate only has permissions to sign anything ending in .yourdomain.com, meaning if you went to homepage.yourdomain.com it would be a valid connection with no errors.

However when you go to an external site, such as Cisco.com, that certificate cannot sign a valid server certificate for that website. This will throw errors in modern browsers because the URL domain will not match the certificate domain.

The type of certificate you need is a plain wildcard certificate with permissions to sign any domain, mean it can sign a server certificate for *.com, *.org, *.cisco.com, and so on. This would be a CA certificate. A globally trusted CA will not sign this certificate because this certificate would undermine the trust relationship behind HTTPS Certificates. This type of certificate can spoof any known domain, and since most browsers trust global CAs anyone using those browsers will be susceptible to a man in the middle attack.

The reason this is dangerous is this means you can pretend to be Cisco.com and the client is not aware that the session is not actually secure and you are decrypting all packets they send to this site. Another example of why this is dangerous, you could create your own webserver named Cisco.com and anyone landing on your site would not be able to determine the difference between your server and Cisco's unless they compared IPs, because the server certificate would "prove" it is Cisco.com and you would trust it because you trust who signed that certificate.

View solution in original post

jameever · ‎03-29-2017

The short answer:

You must use an internal Self-Signed certificate for Decrypt Re-sign, any non-company owned computer will need to trust your Root CA before being allowed on the network to avoid certificate errors.

These wildcard certificates can be used to protect internal servers with Decrypt Known Key.

The long answer:

It is not possible to use wildcard certificates signed by globally trusted CA(DigiCert for example) for Decrypt Resign for internet traffic. The reason behind this is DigiCert provided you a wildcard for *.yourdomain.com, assuming your certificate has permissions to sign new certificates and not a simple server certificate, when the sensor uses that certificate to sign new certificates, the certificate only has permissions to sign anything ending in .yourdomain.com, meaning if you went to homepage.yourdomain.com it would be a valid connection with no errors.

However when you go to an external site, such as Cisco.com, that certificate cannot sign a valid server certificate for that website. This will throw errors in modern browsers because the URL domain will not match the certificate domain.

The type of certificate you need is a plain wildcard certificate with permissions to sign any domain, mean it can sign a server certificate for *.com, *.org, *.cisco.com, and so on. This would be a CA certificate. A globally trusted CA will not sign this certificate because this certificate would undermine the trust relationship behind HTTPS Certificates. This type of certificate can spoof any known domain, and since most browsers trust global CAs anyone using those browsers will be susceptible to a man in the middle attack.

The reason this is dangerous is this means you can pretend to be Cisco.com and the client is not aware that the session is not actually secure and you are decrypting all packets they send to this site. Another example of why this is dangerous, you could create your own webserver named Cisco.com and anyone landing on your site would not be able to determine the difference between your server and Cisco's unless they compared IPs, because the server certificate would "prove" it is Cisco.com and you would trust it because you trust who signed that certificate.

Claudiu Cismaru · ‎03-30-2017

James, I believe he asked something a bit different. Actually, I don't think he owns a CA cert, signed by DigiCert, but a wildcard, which can't be used to sign other certs.

It's not about the wildcards, in here, but the type of cert, which is not a CA cert.

dan.letkeman · ‎04-09-2017

I think James answered exactly right, based on the Nicholas's question. If you have a Digicert wildcard you can request non wildcard certs, none of which will work for SSL decryption.

You must use an internal CA certificate, as James has already mentioned.

This certificate can be deployed to AD machines using GPO and must be installed on guest and byod devices using something such as ISE or in our case, we redirect users to a webpage after logging into the guest portal with instructions on how to install the certificate on their Android or IOS device. This works well, even with non computer savy folks.

Nicholas Copeland · ‎04-10-2017

Thank you for the response. This is exactly the information I was looking for.

khaled_kjcisco · ‎04-17-2017

thank you for your answer, but we have a problem that we want to make SSL-Decryption without getting SSL error neither for company users nor for guests because of that we bought a certificate and we got 4 certificates one of them wildcard. Now our problem is that we can`t upload a file to cisco Firepower easily and because of that we separated the certificate and the private key for two files and then uploaded to firepower, but with this configuration our browser is giving errors and we can`t browse any https site.

You explained that with wildcard certificate we can`t make SSL Decryption so what can we do in our situation?