In SSL Visibility appliance some SSL sites are not decrypting and appear to be cut through
Article ID: 169157
Updated On:
Products
SSL Visibility Appliance Software
Issue/Introduction
It may be noticed that ECC (Elliptic Curve Cryptography) or RSA based SSL / TLS sites are not able to be decrypted on the SSL visibility device. These connections may appear to be cut through even though there is no cut-through rule.
Cause
The SSL Visibility device will need two resigning certificates to be able to intercept and decrypt all ciphers. One for RSA, and another for Elliptical Curve cipher. If one of these are missing, it will need to be created and added.
Resolution
In this example we are creating a missing ECC key for resigning.
Step 1 - Create a new signing cert for Eliptical Curve resigning:
If needed, you may need to get the certificate signed and cert imported by your internal Root CA signing authority.
Step 2 - set this new Elliptical Curve cert for use:
Step 1 - Create a new signing cert for Eliptical Curve resigning:
- In the SSL Visibility Management Console > PKI > Resigning Certificate Authorities
- Click on the Red Seal to create a new certificate.
- Make sure Key type is set to EC.
- Fill out the certificate
If needed, you may need to get the certificate signed and cert imported by your internal Root CA signing authority.
Step 2 - set this new Elliptical Curve cert for use:
- under: Policies > Rulesets find the ruleset section
- Click the pencil icon to edit, and set Default EC Internal Cert Authority to the Certificate that was created in step 1.
Feedback
Powered by
