SSL Decryption and Subject Alternative Names (SANs)
Some browsers require server certificates to use a Subject
Alternative Name (SAN) to specify the domains the certificate protects,
and no longer support certificate matching based on a server certificate
Common Name (CN). SANs enable a single server certificate to protect
multiple names; CNs are less well-defined than SANs and can protect
only a single domain or all first-level subdomains on a domain.
However, if a server certificates contains only a CN, browsers that
require a SAN will not allow end users to connect to the requested
web resource.The firewall can add a SAN to the impersonation certificate
it generates to establish itself as a trusted third-party during
SSL decryption. When a server certificate contains only a CN, a
firewall performing SSL decryption copies the server certificate
CN to the impersonation certificate SAN. The firewall presents the
impersonation certificate with the SAN to the client, and the browser
is able to support the connection. End users can continue to access
the resources they need, and the firewall can decrypt the sessions.
To enable SAN support for decrypted SSL traffic, update the decryption
profile attached to the relevant decryption policy: select ObjectsDecryption ProfileSSL DecryptionSSL Forward ProxyAppend certificate’s CN value to SAN extension).