https://live.paloaltonetworks.com/t5/general-topics/subordinate-ca-creation-for-ssl-decryption/m-p/156930#M51516 <P>Functionally, the CN won't really matter. The user is presented a server certificate that matches the CN and SAN fields of the destination server, but it's signed by the CA you're creating. Some admins choose something descriptive like "SSL-TLS Inspection", while others will simply use something like "MyCompany Security Team".</P><P>&nbsp;</P><P>It won't actually matter, it's really just a matter of preference. It shows up as the signer, so most users won't even see it unless they have a habit of checking the certificate chain.&nbsp;</P><P>&nbsp;</P><P>Edit: You'll want to include the "Host Name" option as well. Chrome 57 (I think) has deprecated the CN field. If your CA doesn't have a SAN (using the Host Name field) it may complain. I haven't tested it, but it's worth considering.</P> Tue, 16 May 2017 18:24:47 GMT gwesson 2017-05-16T18:24:47Z https://live.paloaltonetworks.com/t5/general-topics/subordinate-ca-creation-for-ssl-decryption/m-p/156912#M51509 <P>Hello,</P><P>&nbsp;&nbsp; I am attempting&nbsp;to set up SSL Decryption on a new firewall&nbsp;and trying to create a Subordinate CA with our internal Microsoft Certificate Services.&nbsp; I am in the process of generating the CSR on the PA, but I am a little confused on what the Common Name should be.</P><P>&nbsp; Should it be the Inside interface IP, Outside interface IP, the AD domain controller name?&nbsp; I am stumped.&nbsp; If someone could give me a pointer, I would apprecaite it.</P><P>&nbsp;</P><P>Thanks,</P><P>&nbsp; Steve</P> Tue, 16 May 2017 14:49:40 GMT https://live.paloaltonetworks.com/t5/general-topics/subordinate-ca-creation-for-ssl-decryption/m-p/156912#M51509 Steve27596 2017-05-16T14:49:40Z https://live.paloaltonetworks.com/t5/general-topics/subordinate-ca-creation-for-ssl-decryption/m-p/156917#M51511 <P><SPAN>In the </SPAN>Common Name<SPAN> field, enter the FQDN (recommended) or IP address of the interface where you will configure the service that will use this certificate. So FQDN of the inside interface (client&nbsp;facing interface) is the way to go. But for sure other members will&nbsp;give you a better advice as I am not a great fan of the&nbsp;SSL decryption <span class="lia-unicode-emoji" title=":grinning_face_with_smiling_eyes:">😄</span></SPAN></P> Tue, 16 May 2017 15:50:07 GMT https://live.paloaltonetworks.com/t5/general-topics/subordinate-ca-creation-for-ssl-decryption/m-p/156917#M51511 TranceforLife 2017-05-16T15:50:07Z https://live.paloaltonetworks.com/t5/general-topics/subordinate-ca-creation-for-ssl-decryption/m-p/156930#M51516 <P>Functionally, the CN won't really matter. The user is presented a server certificate that matches the CN and SAN fields of the destination server, but it's signed by the CA you're creating. Some admins choose something descriptive like "SSL-TLS Inspection", while others will simply use something like "MyCompany Security Team".</P><P>&nbsp;</P><P>It won't actually matter, it's really just a matter of preference. It shows up as the signer, so most users won't even see it unless they have a habit of checking the certificate chain.&nbsp;</P><P>&nbsp;</P><P>Edit: You'll want to include the "Host Name" option as well. Chrome 57 (I think) has deprecated the CN field. If your CA doesn't have a SAN (using the Host Name field) it may complain. I haven't tested it, but it's worth considering.</P> Tue, 16 May 2017 18:24:47 GMT https://live.paloaltonetworks.com/t5/general-topics/subordinate-ca-creation-for-ssl-decryption/m-p/156930#M51516 gwesson 2017-05-16T18:24:47Z https://live.paloaltonetworks.com/t5/general-topics/subordinate-ca-creation-for-ssl-decryption/m-p/157001#M51537 <P>SSL Certs are always being an interesting subject. Doesn't look complex but easy&nbsp;to get confused (at least for me :D)</P><P>Thanks for the explanation&nbsp;</P> Wed, 17 May 2017 06:50:16 GMT https://live.paloaltonetworks.com/t5/general-topics/subordinate-ca-creation-for-ssl-decryption/m-p/157001#M51537 TranceforLife 2017-05-17T06:50:16Z