On Cisco Firepower Threat Defense there are two ways to do SSL Decryption (two actions in the SSL Policy).
Decrypt-Resign: for outbound connection (from an inside PC to an external server).
- Used for traffic to external servers
- FTD splits the original session into two: client<—>FTDw<—>server
- The original server certificate is modified and resigned by FTD
Decrypt-Known-Key: for inbound connection (from an external PC to your internal server).
- Used for traffic coming to your internal servers
- Server’s Private Key is uploaded to FTD
- FTD decrypts the client-server taffic on the fly
For both option, ,need to import the right certificates.
How and where?
Navigate to Object –> Object Management –> PKI
There are two options:
- Internal CA’s certifcate (or FTD as CA) and Keys
- Needed for “Decrypt Resign”
- Your server’s certificate and private key
- Needed for “Decrypt Known Key”