I ve been reading ASA CX and Prism 9.2 Cisco documentation about ASA CX decryption capabilities and everything seems to be clear of how to configure decryption policies,how to inspect encrypted traffic flows and how to gain greater insight into your network traffic except of one thing which is truly important in my opinion.
The intermediate certificate.
Cisco Documentation refers that:
You can upload either a root or an intermediate certificate that has been signed by a certificate authority, In other words, you need to have a certificate that is enabled for issuing additional “child” certificates.
So is it possible to obtain an intermediate certificate for ASA CX to generate certificates to be trusted by your OS/browser? Every Root CA would provide me with an intermediate certificate? Which Root CA are you guys proposing to obtain an intermediate certificate?
I am already familiar with the concept of deploying a self-signed certificate generated by ASA CX and make it available/trusted to all client machines/browsers through a GPO for example.
Has any of you guys upload an intermediate certificate on ASA CX?
You only need that in the case where you have an enterprise PKI and something like Windows certificate services as your CA and issuing trusted certificates for your servers. The clients trust that root CA and any certificates signed by it.
So if the CA issues an intermediate certificate to the ASA CX, your clients will in turn trust the CX without further exceptions / certificate store settings being required.