×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ASA CX Decryption policies with intermediate certificate

Answered Question
May 15th, 2014
User Badges:

 

 Hello Guys,

 I ve been reading ASA CX and Prism 9.2 Cisco documentation about ASA CX decryption capabilities and everything seems to be clear of how to configure decryption policies,how to inspect encrypted traffic flows and how to gain greater insight into your network traffic except of one thing which is truly important in my opinion.

The intermediate certificate.

Cisco Documentation refers that: 

You can upload either a root or an intermediate certificate that has been signed by a certificate authority, In other words, you need to have a certificate that is enabled for issuing additional “child” certificates.

So is it possible to obtain an intermediate certificate for ASA CX to generate certificates to be trusted by your OS/browser? Every Root CA would provide me with an intermediate certificate? Which Root CA are you guys proposing to obtain an intermediate certificate?

I am already familiar with the concept of deploying a self-signed certificate generated by ASA CX and make it available/trusted to all client machines/browsers through  a GPO for example.

Has any of you guys upload an intermediate certificate on ASA CX?

Regards

Theo

                

 

Correct Answer by Marvin Rhoads about 3 years 3 months ago

You only need that in the case where you have an enterprise PKI and something like Windows certificate services as your CA and issuing trusted certificates for your servers. The clients trust that root CA and any certificates signed by it.

So if the CA issues an intermediate certificate to the ASA CX, your clients will in turn trust the CX without further exceptions / certificate store settings being required.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Marvin Rhoads Fri, 05/16/2014 - 05:28
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

You only need that in the case where you have an enterprise PKI and something like Windows certificate services as your CA and issuing trusted certificates for your servers. The clients trust that root CA and any certificates signed by it.

So if the CA issues an intermediate certificate to the ASA CX, your clients will in turn trust the CX without further exceptions / certificate store settings being required.

Actions

This Discussion