Automatic SAN Support for SSL Decryption

Some browsers require server certificates to use a Subject Alternative Name (SAN) to specify the domains the certificate protects, and no longer support certificate matching based on a server certificate Common Name (CN). SANs enable a single server certificate to protect multiple names; CNs are less well-defined than SANs and can protect only a single domain or all first-level subdomains on a domain. However, if a server certificates contains only a CN, browsers that require a SAN will not allow end users to connect to the requested web resource.
Now, the firewall can add a SAN to the impersonation certificate it generates to establish itself as a trusted third-party during SSL decryption. When a server certificate contains only a CN, a firewall performing SSL decryption copies the server certificate CN to the impersonation certificate SAN. The firewall presents the impersonation certificate with the SAN to the client, and the browser is able to support the connection. End users can continue to access the resources they need, and the firewall can decrypt the sessions.
  1. To decrypt and inspect SSL/TLS traffic from internal users to the web, configure SSL Forward Proxy Decryption.
  2. Enable the firewall to add a SAN to impersonation certificates.
    1. Select ObjectsDecryption Profile and Add or modify a profile.
    2. Select SSL DecryptionSSL Forward Proxy and then enable the firewall to Append certificate’s CN value to SAN extension
    decryption-profile-append-san.png
  3. Attach the updated Decryption profile to a Decryption policy to enforce the new setting on matching traffic (PoliciesDecryptionOptionsDecryption Profile).

Related Documentation