Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
320
Views
0
Helpful
1
Replies

ASA CX Decryption policies with intermediate certificate

Go to solution
thodoris
Level 1
Level 1

‎05-15-2014 01:45 PM - edited ‎02-21-2020 05:11 AM

 

 Hello Guys,

 I ve been reading ASA CX and Prism 9.2 Cisco documentation about ASA CX decryption capabilities and everything seems to be clear of how to configure decryption policies,how to inspect encrypted traffic flows and how to gain greater insight into your network traffic except of one thing which is truly important in my opinion.

The intermediate certificate.

Cisco Documentation refers that: 

You can upload either a root or an intermediate certificate that has been signed by a certificate authority, In other words, you need to have a certificate that is enabled for issuing additional “child” certificates.

So is it possible to obtain an intermediate certificate for ASA CX to generate certificates to be trusted by your OS/browser? Every Root CA would provide me with an intermediate certificate? Which Root CA are you guys proposing to obtain an intermediate certificate?

I am already familiar with the concept of deploying a self-signed certificate generated by ASA CX and make it available/trusted to all client machines/browsers through  a GPO for example.

Has any of you guys upload an intermediate certificate on ASA CX?

Regards

Theo

                

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-16-2014 05:28 AM

You only need that in the case where you have an enterprise PKI and something like Windows certificate services as your CA and issuing trusted certificates for your servers. The clients trust that root CA and any certificates signed by it.

So if the CA issues an intermediate certificate to the ASA CX, your clients will in turn trust the CX without further exceptions / certificate store settings being required.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-16-2014 05:28 AM

You only need that in the case where you have an enterprise PKI and something like Windows certificate services as your CA and issuing trusted certificates for your servers. The clients trust that root CA and any certificates signed by it.

So if the CA issues an intermediate certificate to the ASA CX, your clients will in turn trust the CX without further exceptions / certificate store settings being required.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card