![Meddane_0-1706639016352.png Meddane_0-1706639016352.png](https://community.cisco.com/t5/image/serverpage/image-id/209164iED0757B0C224775C/image-size/large?v=v2&px=999)
The firewall uses a certificate with the role of CA Certificate of Authority to perform SSL Decryption for outbound traffic.
There are three methods to generate this certificate.
- Method 2 : Using an external CA. The firewall generates a CSR Certificate Signed Request with the Public/Private keys, then you submit only the CSR / Public key, while the Private key is kept on the firewall, finally you upload the generate certificate with the embedded Public key.
- Method 1 : You can use a self-signed certificate. The firewall will generate a Certificate with the Public / Private keys automatically without involving an external CA.
- Method 3 : Using an external CA. You generate the CSR or the certifcate with the Public / Private keys. Then you upload the Certificate with the Public / Private Key.
Method 1
Navigate to Objects > Internal CAs. Click the Generate CA button to generate a Certificate Signing Request CSR.
![Meddane_1-1706639016359.jpeg Meddane_1-1706639016359.jpeg](https://community.cisco.com/t5/image/serverpage/image-id/209162i475C1DCBE395AF4D/image-size/large?v=v2&px=999)
![Meddane_2-1706639016363.jpeg Meddane_2-1706639016363.jpeg](https://community.cisco.com/t5/image/serverpage/image-id/209163i530F466B89EAE7FA/image-size/large?v=v2&px=999)
Populate the required field such the Common Name then click the Generate CSR button.
The CSR contains only the Public key, the Private key is kept in the firewall.
![Meddane_3-1706639016366.jpeg Meddane_3-1706639016366.jpeg](https://community.cisco.com/t5/image/serverpage/image-id/209165i3D876CC2E6F151AD/image-size/large?v=v2&px=999)
![Meddane_4-1706639016369.jpeg Meddane_4-1706639016369.jpeg](https://community.cisco.com/t5/image/serverpage/image-id/209166i5845741B274561B5/image-size/large?v=v2&px=999)
![Meddane_5-1706639016373.jpeg Meddane_5-1706639016373.jpeg](https://community.cisco.com/t5/image/serverpage/image-id/209167i6F77A5A8C8DA12D0/image-size/large?v=v2&px=999)
Access the CA-1 server, and submit the CSR, you need to select the Certificate Template Subordinate Certificate Authority to make this certificate as a CA so that the firewall can use it to sign the spoofed server certificate.
![Meddane_6-1706639016377.jpeg Meddane_6-1706639016377.jpeg](https://community.cisco.com/t5/image/serverpage/image-id/209168i01D2025D874AD299/image-size/large?v=v2&px=999)
Retrieve the generated certificate from the CA-1 server. On the FMC GUI, edit the CSR and click Install Certificate button, then use the Browse button to upload the certificate.
![Meddane_7-1706639016382.jpeg Meddane_7-1706639016382.jpeg](https://community.cisco.com/t5/image/serverpage/image-id/209170iB8041DB16BC11801/image-size/large?v=v2&px=999)
![Meddane_8-1706639016385.jpeg Meddane_8-1706639016385.jpeg](https://community.cisco.com/t5/image/serverpage/image-id/209169i7D9D7FD82A2230EB/image-size/large?v=v2&px=999)
Method 2
Generate a Self Signed Certificate, Click the Generate CA button, populate the required field such as the Common Name, then click on the Generate self-signed CA button. A certificate with role CA is generated automatically.
![Meddane_9-1706639016389.jpeg Meddane_9-1706639016389.jpeg](https://community.cisco.com/t5/image/serverpage/image-id/209172iF227320414BB64DF/image-size/large?v=v2&px=999)
![Meddane_10-1706639016392.jpeg Meddane_10-1706639016392.jpeg](https://community.cisco.com/t5/image/serverpage/image-id/209171iA2B23CF1414CE93B/image-size/large?v=v2&px=999)
![Meddane_11-1706639016395.jpeg Meddane_11-1706639016395.jpeg](https://community.cisco.com/t5/image/serverpage/image-id/209173iB65C2A00C0408473/image-size/large?v=v2&px=999)
Method 3
Access the CA-2 server command line, generate a certificate with the role CA. The CA-2 server generates the certificate including the public key and the Private key. With this method, you need to import both the certificate and the Private key into the firewall.
![Meddane_12-1706639016398.jpeg Meddane_12-1706639016398.jpeg](https://community.cisco.com/t5/image/serverpage/image-id/209175iCDFEC45BDB95CC08/image-size/large?v=v2&px=999)
Retrieves the Certifcate and the Private key as shown below.
![Meddane_13-1706639016399.jpeg Meddane_13-1706639016399.jpeg](https://community.cisco.com/t5/image/serverpage/image-id/209174i4981C674E27BAADE/image-size/large?v=v2&px=999)
Click the Internal CA button. Upload the Certificate and the Private key files.
![Meddane_14-1706639016404.jpeg Meddane_14-1706639016404.jpeg](https://community.cisco.com/t5/image/serverpage/image-id/209176i6D2E580CE24DA1DE/image-size/large?v=v2&px=999)
![Meddane_15-1706639016409.jpeg Meddane_15-1706639016409.jpeg](https://community.cisco.com/t5/image/serverpage/image-id/209178i06B42FC9A3656E7E/image-size/large?v=v2&px=999)
![Meddane_16-1706639016413.jpeg Meddane_16-1706639016413.jpeg](https://community.cisco.com/t5/image/serverpage/image-id/209179iA7DC93D7DF4A43A0/image-size/large?v=v2&px=999)
Now you can use an SSL Decryption Policy Rule with Decrypt-Resign and you can specify which Certificate the firewall will use to re-sign the spoofed certificate of the target internet server.
![Meddane_17-1706639016417.png Meddane_17-1706639016417.png](https://community.cisco.com/t5/image/serverpage/image-id/209177i89896210B3895552/image-size/large?v=v2&px=999)