Lab Minutes Forum
Technical Discussion => Security => Topic started by: Mikep on February 11, 2016, 03:41:46 PM
-
Hi there,
I'm trying to setup SSL decryption in my lab using Firepower 6.0 with an ASA 5516-X
I'm using this doc...
http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/200202-Configuration-of-an-SSL-Inspection-Polic.html
I created a CSR, requested a cert on my windows CA but the next step when I import the signed cert It asked for the private key along with the cert.
Where can I get the private key?
I tried to do what this says...
http://www.websense.com/support/article/t-kbarticle/How-to-import-an-internal-Root-CA-created-with-Microsoft-Certificate-services
But I got an error in Firepower when I tried to save it.
Any idea what I might be missing?
-
scratch that. I got it working another way.
Generate the CSR, Sign it with the CA.
Go back to Firepower and click the pencil on the cert you just create.
Then bottom left click install certificate and upload the signed you downloaded from the CA
-
Did you get the SSL decryption working already? Where did you generate the CSR from? Did you upload the cert under PKI > CA Cert? What template on MS CA did you use to sign the cert?
-
Hi MC,
So I did the following steps...
Objects-Object Management - PKI - Internal CAs
From there click Generate CA
(http://s2.postimg.org/u1isw9f61/sf1.jpg)
Fill in the data and then click Generate CSR on the bottom left.
(http://s9.postimg.org/707b59z7j/sf1a.jpg)
Copy the CSR, then go to your CA and sign the cert.
I'm not sure why but my CA doesn't have options as to what kind of cert it is, like yours does in your videos.
Once you have the signed cert go back to Firepower and click the pencil on the cert you just created
(http://s8.postimg.org/5g5f7qwut/sf2.jpg)
Then Click on Install Cert on the bottom left and browse for your signed cert.
(http://s30.postimg.org/5ychcl4ap/sf3.jpg)
Once this was all done create your SSL policy. I choose to only decrypt some categories using the Decrypt - Resign and choose the Cert you just created.
Assign the SSL policy to your access policy.
Seems to be working for me. However I tested a dropbox policy to allow the site but not to allow upload and download. The download was blocked and the application was Dropbox Download, however the upload still worked and the application shown as just dropbox.
Need to do some more testing.
-
Thank you for the detail instruction sucanushie. :) I know that cert requires signing capability so it usually needs to be issued from a correct template but if it is already working for you then it should be find.
I do sometime see issue with micro app on FP (in your case Dropbox upload/download). If you have found issue and resolution, please kindly share your experience, it would be much appreciated.
-
Hi @sucanushie
But you needed importe the CAROOT at the MS CA ?
-
Hi @sucanushie
But you needed importe the CAROOT at the MS CA ?
The FP cert should be signed by your enterprise CA that is trusted by your internal clients so when FP intercept the SSL session, the client would not complain.
-
Hi MC, what the template at MS i use for sign the Certificate ? I use the web or not ?
tks.
-
Hi MC,
I used the Subordinate Certification Authority, and its work work for IE and Chrome. For Firefox, i needed put manual for trust the certificate.
-
Since the FP cert need to be able to resign the cert web server returns, it is correct to use the Subordinate CA template. Different browsers react to this differently as you have observed especially Firefox that might require your enterprise root CA stored in browser settings in addition to Windows CA store.