Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
390
Views
3
Helpful
9
Replies

SSL Decryption using certificate generated from Active Directory CA?

davparker
Level 1
Level 1

‎06-26-2024 03:04 PM

I have not been able to find any good documentation on how to generate/install a certificate issued by an Active Directory CA for use with SSL Decryption policy. I've read through the config guides for 7.2x. It seems like this would be an incredibly common scenario. Any help would be appreciated.

Thanks - David

0 Helpful
9 Replies 9

Rob Ingram
VIP
VIP

‎06-26-2024 03:16 PM - edited ‎06-26-2024 03:17 PM

@davparker try this guide https://integratingit.wordpress.com/2019/02/16/firepower-ssl-decryption/

When signing the CSR make sure the certificate template selected is the Subordinate Root Authority.

MHM Cisco World
VIP
VIP

‎06-26-2024 03:16 PM - edited ‎06-26-2024 03:20 PM

https://integratingit.wordpress.com/2019/02/16/firepower-ssl-decryption/

https://www.youtube.com/watch?v=tAIdcZ3EBiw&t=207s

check these link 

MHM

Cisco Firepower: FMC SSL Decrypt with MS Signed CA
Cisco Firepower: FMC SSL Decrypt with MS Signed CA
youtube.com/watch?v=tAIdcZ3EBiw&t=207s
In this video we will setup Firepower TLS decryption capabilities to ensure we are inspecting all traffic and not missing threats embedded in TLS. We will leverage a MS CA to sign the CSR from Firepower to enable Firepower to issuing Certificates. This also helps with browser errors when using ...

davparker
Level 1
Level 1

‎06-27-2024 07:41 AM

Thanks. My PKI person is asking about the compatibility settings on Subordinate Certificate Authority Template used to generate the certificate for the following fields:

Certificate Authority
Certificate Recipient

Our AD servers are at ver 2016. Any thoughts?

0 Helpful

Rob Ingram
VIP
VIP
In response to davparker

‎06-27-2024 08:14 AM

@davparker the standard Microsoft Sub CA template will suffice. They could duplicate the existing template (without modifications) if they wish.

davparker
Level 1
Level 1

‎06-27-2024 01:51 PM

Very nice! Decryption is now working. Now trying to figure out what not to decrypt prior to enabling it for more resources.

0 Helpful

Rob Ingram
VIP
VIP
In response to davparker

‎06-27-2024 01:58 PM

@davparker glad to hear it's working.

FYI, SSL decryption is expensive on resources, so I would be selective on what you decrypt, don't decrypt everything.

0 Helpful

MHM Cisco World
VIP
VIP

‎06-27-2024 02:17 PM - edited ‎06-27-2024 02:20 PM

I think you need to config decrypt known key i.e. the server inside your network 
so using it IP to filter which traffic need to decrypt 
if you allow all traffic your traffic will start drop 

MHM

Screenshot (142).pngScreenshot (143).png

0 Helpful

davparker
Level 1
Level 1
In response to MHM Cisco World

‎06-27-2024 03:02 PM

All our Internet exposed servers are in external data centers. We basically have no inbound rules other than what is needed for VPN. I plan on excluding traffic from decryption for our common domains where most our business apps reside. Also excluding stuff like WebEx and Teams. Also for What categories of web traffic do people typically decrypt traffic for?

0 Helpful

davparker
Level 1
Level 1
In response to davparker

‎07-02-2024 11:16 AM

FYI,

I found this resource to be very helpful when trying to figure out what to decrypt vs DND. BRKSEC-3063 (ciscolive.com)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card