Hi team,

I became totally confused after reading the TLS/SSL Decrypt-Resign Guidelines section (https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/740/management-center-device-config-74/decryption-rules.html#id_103845). I don't understand what practical implications below note can have... I believe browsers suggest all possible signature hash algorithms in the signature_algorithms extension and also it is allowed to [re]-sign a DSA public key from server certificate with RSA secret key of FTD CA (or vice versa) (https://www.rfc-editor.org/rfc/rfc5246#section-7.4.2 ). So any FTD CA certificate should do, whether it is RSA or ECDSA and I don't understand what can go wrong.

From documentation:

If you configure a rule with the Decrypt - Resign action, the rule matches traffic based on the referenced internal CA certificate’s signature algorithm type, in addition to any configured rule conditions. Because you associate one CA certificate with a Decrypt - Resign action, you cannot create a decryption rule that decrypts multiple types of outgoing traffic encrypted with different signature algorithms. In addition, any external certificate objects and cipher suites you add to the rule must match the associated CA certificate encryption algorithm type.

For example, outgoing traffic encrypted with an elliptic curve (EC) algorithm matches a Decrypt - Resign rule only if the action references an EC-based CA certificate; you must add EC-based external certificates and cipher suites to the rule to create certificate and cipher suite rule conditions.

Similarly, a Decrypt - Resign rule that references an RSA-based CA certificate matches only outgoing traffic encrypted with an RSA algorithm; outgoing traffic encrypted with an EC algorithm does not match the rule, even if all other configured rule conditions match.