Buy or Renew
Buy or Renew
Meraki Community is live! Welcome Meraki Members! Learn more here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1948
Views
0
Helpful
9
Replies

SSL Decryption for ASA 5516x with firepower

Go to solution
charles_nana
Frequent Visitor
Frequent Visitor

‎12-11-2017 07:04 AM - edited ‎02-21-2020 06:56 AM

Hi,

Is it possible to configure SSL decryption to inspect the traffic using 3rd party certificate ? I aim having 6 different AD trees behind this firewall with about 500 users. 

Also is this unit good enough support SSL decryption? 

Thanks

Charles

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Bogdan Nita
VIP Alumni
VIP Alumni

‎12-11-2017 08:11 AM

You can use 3rd party certificate for SSL decryption on the firepower.

SSL decryption on an ASA with firepower can have a performance decrease of up to 80%, because it is done in software.

The new Firepower models 4100 and 9000 do it in hardware and should have a much better performance.

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Bogdan Nita
VIP Alumni
VIP Alumni

‎12-11-2017 08:11 AM

You can use 3rd party certificate for SSL decryption on the firepower.

SSL decryption on an ASA with firepower can have a performance decrease of up to 80%, because it is done in software.

The new Firepower models 4100 and 9000 do it in hardware and should have a much better performance.

0 Helpful

Go to solution
charles_nana
Frequent Visitor
Frequent Visitor
In response to Bogdan Nita

‎12-11-2017 08:16 AM

Thank you for your reply.

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎12-11-2017 11:00 AM - edited ‎12-11-2017 11:00 AM

What do you mean with 3rd party? It can *not* be done with a certificate that you purchase from a public CA. You need a certificate that has the basic constraints set so that you can issue certificates. You only get this with a self-signed certificate or from a private CA. In both cases, the local self-signed or the private root-certificate needs to be trusted by the clients. These certificates are completely unrelated to your AD.

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Helpful

Go to solution
Bogdan Nita
VIP Alumni
VIP Alumni
In response to Karsten Iwen

‎12-12-2017 02:20 AM

Hi Karsten,

Thank you for pointing that out. I usually hear 3rd party certificate when referring to certificates issued by private CAs and my above answer was based on that.

0 Helpful

Go to solution
charles_nana
Frequent Visitor
Frequent Visitor
In response to Karsten Iwen

‎12-12-2017 06:15 AM

Hi,

What I wanted to know was whether I can use a certificate purchased from a CA like Godaddy. As I don't want to maintain a CA in house.

 

Thanks

Charles

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to charles_nana

‎12-12-2017 06:27 AM

As already mentioned: No, you can't!
--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Helpful

Go to solution
Bogdan Nita
VIP Alumni
VIP Alumni
In response to charles_nana

‎12-12-2017 06:46 AM

Public CAs, like Godaddy will not sign certificates that can be used in man in the middle SSL decryption.

The options for certificates used for SSL decryption are self-signed or enterprise CA-signed certificate.

Sorry for misunderstanding your original question.

0 Helpful

Go to solution
charles_nana
Frequent Visitor
Frequent Visitor
In response to Bogdan Nita

‎12-12-2017 09:58 AM

Hi Bogdan,

Thanks for your reply. If I have to use self-signed or enterprise CA-signed certificate, those will not be trusted by the non-domain devices like phones and tablets. Any suggestions on how to deliver these certificates to non-domain devices?

 

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to charles_nana

‎12-12-2017 10:12 AM

That is typically done with the mobile device management.
--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card