zmiu.com

How to create a Certificate for SSL Decryption using three methods


‎01-30-2024 10:27 AM

The firewall uses a certificate with the role of CA Certificate of Authority to perform SSL Decryption for outbound traffic.

There are three methods to generate this certificate.

  1. Method 2 : Using an external CA. The firewall generates a CSR Certificate Signed Request with the Public/Private keys, then you submit only the CSR / Public key, while the Private key is kept on the firewall, finally you upload the generate certificate with the embedded Public key.
  2. Method 1 : You can use a self-signed certificate. The firewall will generate a Certificate with the Public / Private keys automatically without involving an external CA.
  3. Method 3 : Using an external CA. You generate the CSR or the certifcate with the Public / Private keys. Then you upload the Certificate with the Public / Private Key.

Method 1

Navigate to Objects > Internal CAs. Click the Generate CA button to generate a Certificate Signing Request CSR.

Meddane_1-1706639016359.jpeg
Meddane_2-1706639016363.jpeg

Populate the required field such the Common Name then click the Generate CSR button.

The CSR contains only the Public key, the Private key is kept in the firewall.

Meddane_3-1706639016366.jpeg
Meddane_4-1706639016369.jpeg
Meddane_5-1706639016373.jpeg

Access the CA-1 server, and submit the CSR, you need to select the Certificate Template Subordinate Certificate Authority to make this certificate as a CA so that the firewall can use it to sign the spoofed server certificate.

Meddane_6-1706639016377.jpeg

Retrieve the generated certificate from the CA-1 server. On the FMC GUI, edit the CSR and click Install Certificate button, then use the Browse button to upload the certificate.

Meddane_7-1706639016382.jpeg
Meddane_8-1706639016385.jpeg

Method 2

Generate a Self Signed Certificate, Click the Generate CA button, populate the required field such as the Common Name, then click on the Generate self-signed CA button. A certificate with role CA is generated automatically.

Meddane_9-1706639016389.jpeg
Meddane_10-1706639016392.jpeg
Meddane_11-1706639016395.jpeg

Method 3

Access the CA-2 server command line, generate a certificate with the role CA. The CA-2 server generates the certificate including the public key and the Private key. With this method, you need to import both the certificate and the Private key into the firewall.

Meddane_12-1706639016398.jpeg

Retrieves the Certifcate and the Private key as shown below.

Meddane_13-1706639016399.jpeg

Click the Internal CA button. Upload the Certificate and the Private key files.

Meddane_14-1706639016404.jpeg
Meddane_15-1706639016409.jpeg
Meddane_16-1706639016413.jpeg

Now you can use an SSL Decryption Policy Rule with Decrypt-Resign and you can specify which Certificate the firewall will use to re-sign the spoofed certificate of the target internet server.

Meddane_17-1706639016417.png

Leave a Comment

Your email address will not be published. Required fields are marked *