Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2125
Views
5
Helpful
4
Replies

steps for using fmc self generated certificate for SSL decryption

baselzind
Level 6
Level 6

‎01-06-2020 11:40 PM - edited ‎02-21-2020 09:49 AM

can anyone tell me the summarized steps on how to self generate a CA and self sign a certificate to use in ssl decryption rules?

0 Helpful
4 Replies 4

Dinesh Moudgil
Cisco Employee
Cisco Employee

‎01-07-2020 12:23 AM

This should be useful:
https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/200202-Configuration-of-an-SSL-Inspection-Polic.html#anc5

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.
Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

baselzind
Level 6
Level 6
In response to Dinesh Moudgil

‎01-07-2020 01:01 AM

so i just generate FMC as a root Certificate Authority (CA) then i can use it in the ssl rule? and upload it to all user pc? or there is more steps involved?
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to baselzind

‎01-07-2020 06:38 PM

While one CAN follow the steps outlined in the article @Dinesh Moudgil shared, it is not generally recommended to follow that approach. Decrypting all outbound traffic will severely constrain the throughput of a Firepower device (on the order of 80-90%).

Also, many sites and applications employ techniques (HSTS, certificate pinning etc.) to be resistant to such "man-in-the-middle" decryption, even from a client-trusted CA.

A better approach is to use decryption policies only for incoming traffic to organization-owned servers for which you have the server's private key.

Protect against malicious secure sites with a combination of Cisco Umbrella and AMP for Endpoints, in addition to the basic URL- and IP-based Security Intelligence blacklisting capabilities in Firepower.

Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-07-2020 08:02 PM

Also, if you want to see a walk through of setting up FMC as a subordinate CA and implementing an SSL Policy, have a look at this Youtube video:

https://www.youtube.com/watch?v=6-egmsc8Egg

(Friday Firepower Hour - SSL Policy)

Friday Firepower Hour - SSL Policy
Friday Firepower Hour - SSL Policy
youtube.com/watch?v=6-egmsc8Egg
In this Friday Firepower Hour session, we cover how to configure an SSL Policy. We walk through on how to configure the Firepower Management Center as a Subordinate CA to your MS CA and then add this setting to a SSL Policy. We then test using 2 computers of which, 1 is domain joined and the other
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card