In SSL Policy of Firepower there is "Trusted CA Certificates" tab which I have never seen being described in any Cisco documentation what is its importance. I mean all guide and configuration sample show implementing of SSL Policy without even touching that section. I wonder what is its importance?
As noted in the configuration guide, "You can trust CAs by adding root and intermediate CA certificates to your SSL policy, then use these trusted CAs to verify server certificates used to encrypt traffic."
Basically it adds another layer of verification. As you observe, it is not mandatory.
As you mentioned it is not mandatory so this means as now it is configured in my policy, I am not using any CA certificate even my internal CA and it should not create any problem. I wonder what differences would be if I use them or let me clarify my question, what additional verifications can be done by using them. May you, please, provide any example?
You could add a given CA into Trusted CAs so that Firepower will check that CA for a Certificate Revocation List (CRL) when decrypting traffic to a site with a certificate issued by that CA. If the certificate is found to have been revoked you could then block the traffic.
Your FMC online help provides some further examples. See:
Are you responsible for risk management, compliance management and auditing of a network?
If so, we’d like to speak with you to learn your current processes of enforcing compliance and managing risk to help us develop services that will ...
Once you've expanded Cisco Secure Endpoint connector deployment to about 50% of your licensed count (check out this article that shows you how to do that), it's time to put those connectors to action i.e. convert them to Protect from Audit mode for vari...
Hello! I’m Betsy, UX Researcher, on the Cisco+ Secure Connect Now team. Nice to meet you all .We have a short survey to learn about your Zero Trust Network Access (ZTNA) journey. Whether you have, plan to, or have not implemented a ...
A set of interface access rules can cause the Cisco Adaptive Security Appliance to permit or deny a designated host to access another particular host with a specific network application (service). When there is only one client, one host and one se...
How To: Cisco ISE Captive Portals with Aruba Wireless
Authors: Adam Hollifield, Brad Johnson
IntroductionPrerequisitesMinimum RequirementsComponents UsedConfigurationAruba Wireless ControllerWLAN CreationAuthentication ConfigurationRole & Policy Confi...