We recently setup our FireSight to do SSL Decryption on our ASA w/ FirePower Services. The Cisco Guide is does a good job with walking through the setup but doesn't explain what type of SSL Certificate you need. We use an internal CA to sign our certificates. After trying several Certificate Templates we discovered that to do SSL Interception you have to use a Subordinate Certificate Authority Template under the Microsoft CA Templates.
Once you generate your CSR, request the Cert from your CA and import the SSL Decryption worked. Be careful on what you decrypt as it is process intensive. Applying a new policy causes existing sessions to be disconnected and you have to close and reopen your browser. The Root CA has to be imported into the browser. Chrome and IE already have this if the PC is on the domain and you are using a Microsoft CA. Firefox needs the Root CA Imported.
There is some trial and error with the policies to find out what applications on our network require Do Not Encrypt policies.