Showing results for 
Search instead for 
Did you mean: 


SSL Decrypt issues in 6.7 firepower

Hello, I am wondering if anyone has tested the SSL Decrypt-resign function for DPI on their endpoints in 6.7? We are experiencing an odd behavior across multiple browsers using Win10 1809 that when you first load a web page you get a certificate error: NET::ERR_CERT_AUTHORITY_INVALID. After you refresh the page, however, the certificate message goes away. If I close and reopen Chrome, and try the same webpages that previously failed, I don't get any warning message. If I look at the certificate properties within Chrome, it shows my FTD as the "Issued by" which is the default or normal behavior.

VIP Advisor


Can you compare the certificate when there is an error and without the
error.? Confirm that resignation is done both times by the same FTD. It
doesn't seem the case. Also, confirm that the CN of the certificate in both
cases to see that you are hitting the same destination server.

If the error disappears after refresh, this is a good sign that you are not
following the same path both times.

***** please remember to rate useful posts

I looked at the SAN in the certificate properties window and it does match. It's the same behavior every time. If I go to, I will get the error message on the very first time I try to load that page. Afterwards, any time I try to go to, I never see any certificate errors. Even if I open a new browser and go to, I don't get the error message. Its only the very first time I try and go to a new SSL protected website. This behavior did not happen in 6.4, 6.6 for us but started in 6.7. We had to go to 6.7 due to a bug in 6.6.1. If my traffic was taking a different path randomly, you would expect to see the certificate error at those random times it fails. But it is not that behavior. The sites and SSL decrypt policy work after the initial failure.

Content for Community-Ad