If you decide to decrypt traffic, users must have the internal CA certificate that is used in the encryption process defined as a Trusted Root Certificate Authority in their applications that use TLS/SSL. Typically if you generate a certificate, or sometimes even if you import one, the certificate is not already defined as trusted in these applications. By default in most web browsers, when users send HTTPS requests, they will see a warning message from the client application informing them that there is a problem with the web site’s security certificate. Usually, the error message says that the web site’s security certificate was not issued by a trusted certificate authority or the web site was certified by an unknown authority, but the warning might also suggest there is a possible man-in-the-middle attack in progress. Some other client applications do not show this warning message to users nor allow users to accept the unrecognized certificate.
You have the following options for providing users with the required certificate:
Inform users to accept the root certificate
You can inform the users in your organization what the new policies are at the company and tell them to accept the root certificate supplied by the organization as a trusted source. Users should accept the certificate and save it in the Trusted Root Certificate Authority storage area so that they are not prompted again the next time they access the site.
Note: The user needs to accept and trust the CA certificate that created the replacement certificate. If they instead simply trust the replacement server certificate, they will continue to see warnings for each different HTTPS site that they visit.
Add the root certificate to client devices
You can add the root certificate to all client devices on the network as a trusted root certificate authority. This way, the client applications automatically accept transactions with the root certificate.
You can either make the certificate available to users by E-mailing it or placing it on a shared site, or you could incorporate the certificate into your corporate workstation image and use your application update facilities to distribute it automatically to users.
The following procedure explains how to download the internal CA certificate and install it on Windows clients.
The process differs depending on the operating system and type of browser. For example, you can use the following process for Internet Explorer and Chrome running on Windows. (For Firefox, install through the Tools > Options > Advanced page.)
Messages should indicate that the import was successful. You might see an intermediate dialog box warning you that Windows could not validate the certificate if you generated a self-signed certificate rather than obtaining one from a well-known third-party Certificate Authority.
You can now close out the Certificate and Internet Options dialog boxes.
- Download the certificate from Firepower Device Manager.
- Open the Devices & Services page.
- Select the device on which the certificate is stored.
- Click Policy in the Management pane at the right.
- Click SSL Decryption in the policy bar.
- Click the SSL decryption configuration button in the SSL decryption policy policy bar.
- Click the Download button
- Select a download location, optionally change the file name (but not the extension), and click Save.
- You can now cancel out of the SSL Decryption Settings dialog box.
- Install the certificate in the Trusted Root Certificate Authority storage area in web browsers on client systems, or make it available for clients to install themselves. This procedure will be different for different browsers and operating systems.
CA Certificates Configured Through FDM
CDO can manage multiple devices but is limited the in additional information that is saved when the device configuration is saved, which may incur some issues when handling internal CA certificates. CDO does not save the cert or key information of CA certificates that are configured through the FDM console; if you attempt to use a CA certificate that was configured in FDM and apply it to an SSL policy that is deployed to a secondary device, CDO creates a local copy of the CA certificate but does not and cannot copy the key information. As a result, neither CDO or the secondary device have the key information and the CA certificate cannot be successfully deployed. This also means that the download link for the local copy of the CA certificate is unavailable.
We strongly recommend configuring a separate CA certificate for any additional devices through FDM, or creating CA certificates through the CDO UI.
Download Button is Disabled
The download button is disabled for certificates (self signed and uploaded) that are staged on CDO but have not been deployed back to the device yet. A certificate can be downloaded only after deploying it to the device.