Skip to main content



Cisco Defense Orchestrator

Configure Certificates for Known Key and Re-Sign Decryption

If you implement decryption, either by re-signing or using known keys, you need to identify the certificates that the SSL decryption rules can use. Ensure that all certificates are valid and unexpired.

Especially for known-key decryption, you need to ensure that the system has the current certificate and key for each destination server whose connections you are decrypting. With a decrypt known key rule, you use the actual certificate and key from the destination server for decryption. Thus, you must ensure that the FTD device has the current certificate and key at all times, or decryption will be unsuccessful.

Upload a new internal certificate and key whenever you change the certificate or key on the destination server in a known key rule. Upload them as an internal certificate (not an internal CA certificate). You can upload the certificate during the following procedure, or upload the certificate to the Objects page by clicking the blue_cross_button.png button and selecting FTD > Certificate

  1. Open the Devices & Services page.
  2. Select the device for which you want to create the SSL policy and click Policy in the Management pane at the right.
  3. Click SSL Decryption in the policy bar.
  4. Click the certificate button ssl_policy_config_button.png in the SSL decryption policy policy bar. 
  5. In the SSL Decryption Configuration dialog, click the Select Decrypt Re-Sign Certificate menu and select or create the internal CA certificate to use for rules that implement decryption with re-signed certificates. You can use the pre-defined NGFW-Default-InternalCA certificate, or one that you created or uploaded. 

If you have not already installed the certificate in client browsers, click the download button download_button.png to obtain a copy. See the documentation for each browser for information on how to install the certificate. Also see the Downloading the CA Certificate for Decrypt Re-Sign Rules section of the Security Policies chapter of the Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager for the version your device is running

  1. For each rule that decrypts using a known key, upload the internal certificate and key for the destination server.
  2. Click blue_cross_button.png under Decrypt Known-Key Certificates.

  3. Select the internal identity certificate, or click Create New Internal Certificate to upload it now.

  4. Click Save.

  5. Review and deploy now the changes you made, or wait and deploy multiple changes at once. 

  • Was this article helpful?