cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
151
Views
0
Helpful
0
Replies

Problem with ssl decrypt-resign on Cisco Sefure Firewall

janvanek
Level 1
Level 1

Hello, community,
I'm solving a problem with ssl decryption using the decypt-resign method. I have made a subordinate CA for this purpose, which has the following X509 parameters:
Certificate Authority: Yes
Key Usage
Usages: digital signature certificate signature revocation list signature
Critical: No
Extension
Identifier: 1.3.6.1.4.1.311.21.7 #(yes this was generated by the Microsoft root CA)
Extended Key Usage
Allowed Purposes: Server Authentication
Critical: Yes
Extension
Identifier: 1.3.6.1.4.1.311.21.10 #(again - something from MS CA)
There is obviously a problem here, since the server contains a certificate that has Client Authentication in the Key Usage (in addition to Web server auth). Many web servers have it this way, even this cisco website. Firepower then stuffs the "Client authentication" into the resigned certificate as well - according to the original certificate.  Interestingly, in chromium based browsers this works perfectly fine, but Firefox returns "SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION"
Has anyone encountered this problem? Is there any way to force firepower not to put Client authentication in the certificate? Or is the problem elsewhere? Thanks a lot for the help. Jan

0 Replies 0
Review Cisco Networking for a $25 gift card