In SSL Visibility appliance some SSL sites are not decrypting and appear to be cut through

book

Article ID: 169157

calendar_today

Updated On:

Products

SSL Visibility Appliance Software

Issue/Introduction

It may be noticed that ECC (Elliptic Curve Cryptography) or RSA based SSL / TLS sites are not able to be decrypted on the SSL visibility device.  These connections may appear to be cut through even though there is no cut-through rule. 

Cause

The SSL Visibility device will need two resigning certificates to be able to intercept and decrypt all ciphers. One for RSA, and another for Elliptical Curve cipher.   If one of these are missing, it will need to be created and added.

Resolution

In this example we are creating a missing ECC key for resigning.

Step 1 - Create a new signing cert for Eliptical Curve resigning:
  1. In the SSL Visibility Management Console > PKI > Resigning Certificate Authorities 
  2. Click on the Red Seal to create a new certificate. 
  3. Make sure Key type is set to EC. 
  4. Fill out the certificate 

If needed, you may need to get the certificate signed and cert imported by your internal Root CA signing authority.

Step 2 - set this new Elliptical Curve cert for use: 
  1. under: Policies > Rulesets find the ruleset section
  2. Click the pencil icon to edit, and set Default EC Internal Cert Authority to the Certificate that was created in step 1.