You need to create the right type of certificate for each feature. The following features require certificates.
Identity Policies (Captive Portal)—Internal Certificate
(Optional.) Captive portal is used in identity policies. Users must accept this certificate when authenticating to the device for purposes of identifying themselves and receiving the IP address associated with their usernames. If you do not supply a certificate, the device uses an automatically generated certificate.
SSL Decryption Policy—Internal, Internal CA, and Trusted CA Certificates.
(Required.) The SSL decryption policy uses certificates for the following purposes:
- Internal certificates are used for known key decryption rules.
- Internal CA certificates are used for decrypt re-sign rules when creating the session between the client and FTD device.
- Trusted CA certificates
- They are used indirectly for decrypt re-sign rules when creating the session between the FTD device and server. Unlike the other certificates, you do not directly configure these certificates in the SSL decryption policy; they simply need to be uploaded to the system. The system includes a large number of trusted CA certificates, so you might not need to upload any additional certificates.
- When creating an Active Directory Realm object and configuring the directory server to use encryption.