Skip to main content



Cisco Defense Orchestrator

Enable the SSL Decryption Policy

Before you can configure SSL decryption rules, you must enable the policy and configure some basic settings. The following procedure explains how to enable the policy directly. You can also enable it when you enable identity policies. Identity policies require that you enable the SSL decryption policy.

Before you begin

If you upgraded from a release that did not have SSL decryption policies, but you had configured the identity policy with active authentication rules, the SSL decryption policy is already enabled. Ensure that you select the Decrypt Re-Sign certificate you want to use, and optionally enable pre-defined rules.

Review Configuring SSL Decryption Policies if you have not already.


  1. Open the Devices & Services page.
  2. Select the device for which you want to enable the SSL Decryption policy.
  3. Click Policy in the Management pane at the right.
  4. Click SSL Decryption in the policy bar.
  5. Click the SSL Decryption toggle in the SSL bar to enable the SSL Decryption policy.
  • If this is the first time you enabled the policy, read the description of Decrypt Known-Key and Decrypt Re-Sign SSL decryption and click enable.
  • If you have already configured the policy once and then disabled it, the policy is simply enabled again with your previous settings and rules. You can click the SSL decryption configuration button ssl_policy_config_button.png and configure settings as described in Configure Certificates for Known Key and Re-Sign Decryption.
  1. For Select Decrypt Re-Sign Certificate, select the internal CA certificate to use for rules that implement decryption with re-signed certificates.

You can use the pre-defined NGFW-Default-InternalCA certificate, or one that you created or uploaded. If the certificate does not yet exist, click Create to add an FTD internal CA certificate.

If you have not already installed the certificate in client browsers, click the download button download_button.png to obtain a copy. See the documentation for each browser for information on how to install the certificate. Also see Downloading the CA Certificate for Decrypt Re-Sign Rules.

  1. Click Save.
  2. Continue with Configure the Default SSL Decryption Action to set the default action for the policy. 


  • Was this article helpful?