Perform the following steps:
- Confirm that your imported/custom CA certificate imported into the Trusted CA certificate section contains the correct information. If it doesn't, this process fails. A workaround is available below. Or, you can regenerate the certificate and update it.
- Enable SSL Decryption on Network Security Platform:
- Under Devices, select the Sensor to perform the decryption, and then click Setup, Decryption, SSL Decryption.
- Select Enable Inbound Decryption.
- Click Apply.
- Reboot the Sensor.
- Import the SSL key:
- Under Devices, select the Sensor to perform the decryption, and then click Setup, Decryption, Certificate Management.
- Click Import.
- Type the following information:
- The Key Alias name
- The Key file passphrase
- Select the PKCS12 key file
- Click Import.
- Click Deploy Pending Changes.
- Click Update to push the SSL key to the Sensor.
IMPORTANT:
If the SSL keys update fails on the Sensor, check the
ems.logs for the following errors:
iv.core.SSLDecryption - Generate CA certs conf file
iv.core.SSLDecryption - Failed to convert cert.conf file to bytes, Input byte array has incorrect ending byte at 2088
iv.core.SSLDecryption - Root CA certs is null or empty. Skipping the root CA certs segment.
This failure is because your CA cert has incorrect contents.
To work around this issue, delete the imported CA certificate using the below steps
- Delete the CA cert from the Trusted Root CA section:
- Click the Devices tab.
- Click Global, Expand IPS Device Settings.
- Click SSL Decryption, Outbound, Trusted Root CA.
- Redeploy the SSL Keys.