SSL Decryption and Subject
Alternative Names (SANs)
Some browsers require server certificates to use a Subject Alternative
Name (SAN) to specify the domains the certificate protects, and
no longer support certificate matching based on a server certificate
Common Name (CN). SANs enable a single server certificate to protect
multiple names; CNs are less well-defined than SANs and can protect
only a single domain or all first-level subdomains on a domain.
However, if a server certificates contains only a CN, browsers that
require a SAN will not allow end users to connect to the requested
web resource.The firewall can add a SAN to the impersonation certificate
it generates to establish itself as a trusted third-party during
SSL decryption. When a server certificate contains only a CN, a
firewall performing SSL decryption copies the server certificate
CN to the impersonation certificate SAN. The firewall presents the impersonation
certificate with the SAN to the client, and the browser is able
to support the connection. End users can continue to access the
resources they need, and the firewall can decrypt the sessions.
To enable SAN support for decrypted SSL traffic, update the decryption profile
attached to the relevant decryption policy: select ObjectsDecryption ProfileSSL DecryptionSSL Forward ProxyAppend Certificate’s CN Value to SAN Extension).