Perform the following steps:
- Confirm whether your imported or custom CA certificate imported into the Trusted CA certificate section contains the correct information. If it doesn't, this process fails. A workaround is available below. Or, you can regenerate the certificate and update it.
- Enable SSL Decryption on the Intrusion Prevention System:
- Under Devices, select the Sensor to perform the decryption, and then click Setup, Decryption, SSL Decryption.
- Select Enable Inbound Decryption.
- Click Apply.
- Reboot the Sensor.
- Import the SSL key:
- Under Devices, select the Sensor to perform the decryption, and then click Setup, Decryption, Certificate Management.
- Click Import.
- Type the following information:
- Key Alias name
- Key file passphrase
- Select the PKCS12 key file
- Click Import.
- Click Deploy Pending Changes.
- Click Update to push the SSL key to the Sensor.
IMPORTANT:
If the SSL key update fails on the Sensor, check the
ems.logs for the following errors:
iv.core.SSLDecryption - Generate CA certs conf file
iv.core.SSLDecryption - Failed to convert cert.conf file to bytes, Input byte array has incorrect ending byte at 2088
iv.core.SSLDecryption - Root CA certs is null or empty. Skipping the root CA certs segment.
This failure is because your CA cert has incorrect contents.
To work around this issue, delete the imported CA certificate using the below steps:
- Delete the CA cert from the Trusted Root CA section:
- Click the Devices tab.
- Click Global, and expand IPS Device Settings.
- Click SSL Decryption, Outbound, Trusted Root CA.
- Redeploy the SSL Keys.
