Certificate for Firepower

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: amplexor.com

I ran this command:

It produced this output:

My web server is (include version): Cisco Firepower 6.2

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): dehydrated

Currently we manage the certificates for our public endpoints with a local certstore based on dehydrated. We recently got a request for a generation of a certificate for Cisco Firepower, that will enable Firepower to generate trusted certificates for the purpose of ssl traffic inspection.

We have already provided them with a Let’s Encrypt certificate but this is not working.

Can you please inform if we can achieve this feature with let’s encrypt?

Best regards,

Paulo

No. Let's Encrypt does not allow its certificates to be used to intercept encrypted communications--that's actually directly contrary to the purpose of their certs.

3 Likes

Yes, the Terms of Use for Let's Encrypt mention that

[...] ISRG may, without advance notice, immediately revoke Your Certificate if ISRG determines, in its sole discretion, that: [...] (vii) Your Certificate is being used, or has been used, to intercept the traffic of others; [...]

@pferreira, you probably want to create your own organizational root certificate in order to do the kind of interception you're referring to. In that case, you need to add trust to that root certificate to all of the individual devices whose communications will be intercepted (because other devices are specifically trying to detect and prevent this interception—by default, it's considered to be unauthorized). Let's Encrypt does not offer this kind of certificate and doesn't have any tools or services meant to facilitate this use case.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.