Dear yogdhanu,

I have got the both from the open ssl but so in my scenario firesight itself is a CA

Atually the doc has confused by mixing the firesight as a CA and also by signing insternal CA ,

can u write down for me 2 sepearate paragraph if we have an internal CA what will be procedure and if we have firesight as a CA (self signed certificate)

thanks

Hello Adam,

>Scenario 1

You can create a CSR either on firepower itself using OpenSSL or anywhere else and get it signed by your internal CA. Then import it on via ASDM.

>Scenario 2

You create the CSR and then self-sign it using OpenSSL on Firepower itself and then import the cert via ASDM

Hope it helps.

Dear yogdhanu,

here is the link which I m following and configuring TASK 4.1, actually I am doing 2 jobs with self signed certificate which will be used for ssl decryption and also for captive portal active authentication.

https://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/200329-Configure-Active-Directory-Integration-w.html#anc7

I am generating certificate with open ssl and then I shld import then according to the attached snap shot,

Actually there are 2 ways to do that IF I have internal root CA in my corporate then I have to follow the below:

Either I can stop at below step 2 and get the csr signed from my windows Internal certificate authority which will provide me .cert and then after that I shld move to import internal CA step in the objects>PKI>internal CA's, Please correct me if I m wrong

OR

If I don't have internal root CA in my corporate then I have to follow the below:

 I shld continue with complete step 3 to generate the cert by the private key and the csr as mentioned in all the 3 steps and then I shld move to import internal CA step in the objects>PKI>internal CA's, Please correct me if I m wrong

Generate a simple self-signed certificate using openSSL -

Step 1.   Generate the Private key 
               openssl genrsa -des3 -out server.key 2048

Step 2.   Generate Certificate Signing Request (CSR)
               openssl req -new -key server.key -out server.csr

Step 3.   Generate the self-signed Certificate.
               openssl x509 -req -days 3650 -sha256 -in server.csr -signkey server.key -out server.crt

FOR SSL DECRYPTION

infact there is one more step for the ssl decryption to install the certificate in the trusted root certificate of the computer or user , so in this scenario which certificate has to be installed in the user computer the certificate which is generated in step 3 or ????

CONCLUSION:

In both scenarios I have to import the cert and the private key in the Internal CA's, and this procedure shld also be followed for SSL decryption 

Hi Adam,

You are correct for most part. However, let me clarify 1 different between using SSL decryption on firepower and using the certificate for captive portal

You can use the certificate from step 3 for captive portal as that would be a regular certificate which is self-signed(Its still not a CA certificate which can sign other certs)

Import the certificate in internal Certs option instead of Internal CA.

For using SSL decryption, I would recommend navigating to same object page (internal CA) and click on generate a CA.

Use that CA for SSL decryption policy and also download the cert from same page under object and import it for your internal users.

Hope that helps,

Yogesh

thanks yogdhanu

your replies help me a lot, I upgraded my sensors and fmc to 6.1 and when I applied to the user in the connection events I can see the ssl handshake error, with not all website but usually I have seen and the connection doesn't establish.

thanks