steps for using fmc self generated certificate for SSL decryption

baselzind · ‎01-06-2020

can anyone tell me the summarized steps on how to self generate a CA and self sign a certificate to use in ssl decryption rules?

Dinesh Moudgil · ‎01-07-2020

This should be useful:
https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/200202-Configuration-of-an-SSL-Inspection-Polic.html#anc5

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

baselzind · ‎01-07-2020

so i just generate FMC as a root Certificate Authority (CA) then i can use it in the ssl rule? and upload it to all user pc? or there is more steps involved?

Marvin Rhoads · ‎01-07-2020

While one CAN follow the steps outlined in the article @Dinesh Moudgil shared, it is not generally recommended to follow that approach. Decrypting all outbound traffic will severely constrain the throughput of a Firepower device (on the order of 80-90%).

Also, many sites and applications employ techniques (HSTS, certificate pinning etc.) to be resistant to such "man-in-the-middle" decryption, even from a client-trusted CA.

A better approach is to use decryption policies only for incoming traffic to organization-owned servers for which you have the server's private key.

Protect against malicious secure sites with a combination of Cisco Umbrella and AMP for Endpoints, in addition to the basic URL- and IP-based Security Intelligence blacklisting capabilities in Firepower.

Marvin Rhoads · ‎01-07-2020

Also, if you want to see a walk through of setting up FMC as a subordinate CA and implementing an SSL Policy, have a look at this Youtube video:

https://www.youtube.com/watch?v=6-egmsc8Egg

(Friday Firepower Hour - SSL Policy)