Which cert needed for SSL inspection on FTDv

Stuart-ITGL · ‎04-26-2021

I'm working on a project that needs SSL Decrypt-Resign implemented. I understand that I need a Subordinate CA cert in order for this to happen, however I am a little unsure as to exactly what the SubCA cert should be issued to:- is it to FMC which then "shares" it with the FTD's or does the cert get issued to the FTDv's directly?

This is all being done up in Azure using Cisco's reliable and scalable design (see attached image of topology). Effectively, I have 2 FTDv's "sandwiched" between an internal and external load balancer so have a pseudo Active-Active setup rather than a traditional HA (this isn't possible within Azure).

This is my first time doing SSL inspection so it's a baptism by fire!

Any help would be most appreciated.

Rob Ingram · ‎04-26-2021

@Stuart-ITGL

You create an Internal CA on the FMC with a certificate signed by your CA using the SubCA certificate template. This FMC Internal CA is referenced in the SSL Policy deployed to the FTD and allows the FTD to resign the certificates, according to the SSL Policy rules.

A public CA (verisign, godaddy etc) aren't going to provide you with a SubCA, this is usually an internal CA that provides the SubCA certificate, so therefore the end devices would need to trust this certificate.

Stuart-ITGL · ‎04-27-2021

From the sounds of your post, the SubCA cert is issued to the FMC rather than directly to the FTD's. Am I understanding that correctly?