Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
476
Views
2
Helpful
1
Comments

" Propagate untrusted server certificates to clients " option on FTD

Meddane
VIP
VIP

on ‎04-04-2023 04:09 PM

On Firepower Threat Defense, there is an option in the Advanced Setting of SSL policy called " Propagate untrusted server certificates to clients "
This option applies only to traffic matching a Decrypt - Resign rule action.

What does this option mean?

Like the web browser, The firewall comes with a predefined set of Trusted CAs .

There is a scenario where the firewall does not trust the server certificate it gets from the external server because the CA that signed it is not present in the predefined trusted CA certificates list.

In this case, using the decrypt resign action in an SSL policy rule, the server certificate can be presented to the client into different ways.

Either it can send the server certificate as trusted because the FTD spoofed the original server certificate and signs it with your internal CA, in this case we want the client actually do not notice that FTD is sending untrusted server certificate.

 Or the other option is to force Firepower to create voluntarily a spoofed certificate that will not be trusted by the clients because the FTD is not trusting the server certificate, so the client is aware about that.

At the right with the option "propagate untrusted server certificate to the clients" UNCHECKED, the client receive a server certificate signed by internal CA on the FTD. The client will not notice that.

At the left, we propagate untrusted server certificate to the client by checking the option , in this case Firepower just create a self-signed certificate that will not be trusted by the clients to warn the end user that the Firewall is not trusting the server certificate. The client will notice that and an error of untrusted certficate will be displayed in the web browser.

8.JPG

 

Comments
bcoverstone
Level 1
Level 1
‎04-22-2024 10:22 AM

The only thing missing here is the ability to tell what happens if an INTERMEDIATE certificate is not trusted. I want the root certificates to be trusted, but I don't care when there is a new intermediate certificate, yet I have to add them all to the CA trust store.

The other option is to uncheck this, but then untrusted root certificates will come through as trusted, and I do not want that.

I need an option to "Ignore unknown intermediate certificates if root is trusted".

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents