Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new blog
215
Views
1
Helpful
0
Comments

How to create Certificate for SSL Decryption using three methods

Meddane
VIP
VIP
‎01-30-2024 10:27 AM

 

Meddane_0-1706639016352.png

The firewall uses a certificate with the role of CA Certificate of Authority to perform SSL Decryption for outbound traffic.

There are three methods to generate this certificate.

  1. Method 2 : Using an external CA. The firewall generates a CSR Certificate Signed Request with the Public/Private keys, then you submit only the CSR / Public key, while the Private key is kept on the firewall, finally you upload the generate certificate with the embedded Public key.
  2. Method 1 : You can use a self-signed certificate. The firewall will generate a Certificate with the Public / Private keys automatically without involving an external CA.
  3. Method 3 : Using an external CA. You generate the CSR or the certifcate with the Public / Private keys. Then you upload the Certificate with the Public / Private Key.

Method 1

Navigate to Objects > Internal CAs. Click the Generate CA button to generate a Certificate Signing Request CSR.

Meddane_1-1706639016359.jpeg

Meddane_2-1706639016363.jpeg

Populate the required field such the Common Name then click the Generate CSR button.

The CSR contains only the Public key, the Private key is kept in the firewall.

Meddane_3-1706639016366.jpeg

Meddane_4-1706639016369.jpeg

Meddane_5-1706639016373.jpeg

Access the CA-1 server, and submit the CSR, you need to select the Certificate Template Subordinate Certificate Authority to make this certificate as a CA so that the firewall can use it to sign the spoofed server certificate.

Meddane_6-1706639016377.jpeg

Retrieve the generated certificate from the CA-1 server. On the FMC GUI, edit the CSR and click Install Certificate button, then use the Browse button to upload the certificate.

Meddane_7-1706639016382.jpeg

Meddane_8-1706639016385.jpeg

Method 2

Generate a Self Signed Certificate, Click the Generate CA button, populate the required field such as the Common Name, then click on the Generate self-signed CA button. A certificate with role CA is generated automatically.

Meddane_9-1706639016389.jpeg

Meddane_10-1706639016392.jpeg

Meddane_11-1706639016395.jpeg

Method 3

Access the CA-2 server command line, generate a certificate with the role CA. The CA-2 server generates the certificate including the public key and the Private key. With this method, you need to import both the certificate and the Private key into the firewall.

Meddane_12-1706639016398.jpeg

Retrieves the Certifcate and the Private key as shown below.

Meddane_13-1706639016399.jpeg

Click the Internal CA button. Upload the Certificate and the Private key files.

Meddane_14-1706639016404.jpeg

Meddane_15-1706639016409.jpeg

Meddane_16-1706639016413.jpeg

Now you can use an SSL Decryption Policy Rule with Decrypt-Resign and you can specify which Certificate the firewall will use to re-sign the spoofed certificate of the target internet server.

Meddane_17-1706639016417.png

 

 

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Popular Articles
Customers Also Viewed These Support Documents