Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
524
Views
2
Helpful
5
Replies

FTD decryption TLS 1.3 - Flushing certificates in cache

Go to solution
cpaquet
Level 1
Level 1

‎07-24-2024 04:59 AM

On FTD, with TLS decryption enabled, "the managed device caches server certificate data, which allows faster handshake processing in subsequent sessions that use the same certificate" (https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/730/management-center-device-config-73/encrypted-traffic-overview.html)

"A cached TLS server's certificate is available to all Snort instances on a particular threat defense.  The cache can be cleared with a CLI command and is automatically cleared when the device is rebooted."  (https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/730/management-center-device-config-73/decryption-policies.html)

However, the doc doesn't mention which command to use to flush the certificates accumulated in cache by the FTD SSL decryption process. 

Would it be: clear crypto ca trustpool  or  crypto ca trustpool remove ?

Thanks.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Sheraz.Salim
VIP
VIP
In response to cpaquet

‎07-24-2024 01:28 PM

Your best course of action is to either open a Cisco TAC case or contact your Cisco account manager. I know this is not helpful but thats the only way to get their attention on this matter.

please do not forget to rate.

View solution in original post

5 Replies 5

Go to solution
Sheraz.Salim
VIP
VIP

‎07-24-2024 06:57 AM

Regarding the SSL/TLS server certificate cache on Firepower Threat Defense (FTD) devices with TLS decryption enabled. You're correct that the documentation mentions the ability to clear this cache but doesn't specify the exact command to do so. Based on the current documentation and available FTD commands, there isn't a straightforward, documented method to manually clear this cache. The commands you mentioned (clear crypto ca trustpool and crypto ca trustpool remove) are related to the certificate trustpool and not to this specific SSL decryption cache. Given this situation, here are the current options and recommendations:

Automatic clearing: As mentioned in the documentation, the cache is automatically cleared when the device is rebooted. This is the only confirmed method of clearing the cache.
Policy redeployment: While not guaranteed, redeploying the SSL policy from Firepower Management Center (FMC) might potentially refresh the certificate cache.
Natural expiration: The cache likely has some form of expiration or rotation mechanism, though details on this are not provided in the public documentation.

please do not forget to rate.
0 Helpful

Go to solution
cpaquet
Level 1
Level 1

‎07-24-2024 12:31 PM

Thanks Sheraz for your thorough answer.

Anyone knows how to get Cisco (the firewall Business Unit I guess) amend the FTD documentation by either adding the command (if such command exists) or by removing the phrase in the doc that says that a command exist for flushing certs acquired during SSL decryption?

 

0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP
In response to cpaquet

‎07-24-2024 01:28 PM

Your best course of action is to either open a Cisco TAC case or contact your Cisco account manager. I know this is not helpful but thats the only way to get their attention on this matter.

please do not forget to rate.

Go to solution
MHM Cisco World
VIP
VIP

‎07-28-2024 06:52 AM

you can see some info about SSL policy 
in FTD > 
run this command 
ftd > system support ssl-? <<- this will give you alot option to see SSL statistic 

MHM

Go to solution
bcoverstone
Level 1
Level 1

‎08-06-2024 12:36 PM

> system support ssl-cache-clear all

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card