Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2059
Views
0
Helpful
2
Replies

FTD/FMC SSL Decrypt Issue

Go to solution
stamperbrian
Level 1
Level 1

‎09-01-2021 08:47 AM

I am doing some testing in a lab environment with the SSL Decryption.  Because its lab and I don't have an internal CA that the machines trust I ended up using a public signed certificate so all the clients would trust it.  The FTD appears to be doing the re-assign just fine.  However, every site I go to in any browser I get NET:ERR_CERT_INVALID.

Example:

www.nfl.com normally uses encryption to protect your information.  When Microsoft Edge tried to connect to www.nfl.com this time, the website sent back unusual and incorrect credentials....

 

WHen I look at the certs in the browser:

I see my public cert that I put in and it states:

This certificate does not appear to be valid for the selected purpose.

 

The rest of the cert path is fine and in tact/trusted.  

 

I'm probably trying to do something that doesn't work at all but figured it shouldn't matter what cert I use to resign with as long as the client machines trust it?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎09-01-2021 09:18 AM - edited ‎09-01-2021 09:20 AM

@stamperbrian 

If you are using a Public signed certificate, then that won't work. For SSL decryption you'll need a CA certficate which can re-sign certificates on the fly.

 

Once configured and SSL decryption is working correctly, when you checked the certificate issued to a site, you'd see it was issued by your CA rather than the actual public CA.

 

A public CA that signed your identity certificate is not going to give you a CA certificate, otherwise you'd be able to spoof any domain. You'd need to use an Internal CA (i.e Microsoft Windows Server CA).

 

See this link for certificate types by feature.

 

And this link to use Microsoft CA to issue the CA certificate to FMC for SSL decryption.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Rob Ingram
VIP
VIP

‎09-01-2021 09:18 AM - edited ‎09-01-2021 09:20 AM

@stamperbrian 

If you are using a Public signed certificate, then that won't work. For SSL decryption you'll need a CA certficate which can re-sign certificates on the fly.

 

Once configured and SSL decryption is working correctly, when you checked the certificate issued to a site, you'd see it was issued by your CA rather than the actual public CA.

 

A public CA that signed your identity certificate is not going to give you a CA certificate, otherwise you'd be able to spoof any domain. You'd need to use an Internal CA (i.e Microsoft Windows Server CA).

 

See this link for certificate types by feature.

 

And this link to use Microsoft CA to issue the CA certificate to FMC for SSL decryption.

0 Helpful

Go to solution
stamperbrian
Level 1
Level 1
In response to Rob Ingram

‎09-01-2021 09:20 AM

I kinda wondered about that.  Was just trying to make it so I didn't have to worry about having a PKI environment to do the testing.  THanks!!!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card