Incoming traffic decryption

This information applies only to rule-based decryption policies and rules

The purpose of decrypting incoming traffic is to protect your internal servers from external attacks.

Note	The Firepower System does not support mutual authentication; that is, you cannot upload a client certificate to the Security Cloud Control and use it for Decrypt - Resign, or Decrypt - Known Key decryption rule actions.

Inbound decryption types

There are two types of inbound decryption:

Replace Cert (default): Uses a certificate and key defined in the decryption rule to decrypt traffic. This certificate and key can be the internal server's certificate or it can be a different certificate; in addition, you can change the certificate and key at any time. You can replace the certificate in any of the following ways:
- API as discussed in the Cisco Secure Firewall Threat Defense REST API Guide.
- Automated Certificate Management Environment (ACME).
- Objects > Object Management > PKI > Internal Certs in the Cisco Security Cloud Control
We recommend you include the certificate authority chain.
Known Key: Use the internal server's certificate to decrypt incoming traffic. In the event the certificate changes, you must manually update it and consequently interrupt decryption until the new certificate is in place, both in the decryption policy and on the server.