Subordinate CA creation for SSL Decryption

cancel
Showing results for 
Search instead for 
Did you mean: 

Subordinate CA creation for SSL Decryption

L1 Bithead

Hello,

   I am attempting to set up SSL Decryption on a new firewall and trying to create a Subordinate CA with our internal Microsoft Certificate Services.  I am in the process of generating the CSR on the PA, but I am a little confused on what the Common Name should be.

  Should it be the Inside interface IP, Outside interface IP, the AD domain controller name?  I am stumped.  If someone could give me a pointer, I would apprecaite it.

 

Thanks,

  Steve

1 ACCEPTED SOLUTION

Accepted Solutions

L7 Applicator

Functionally, the CN won't really matter. The user is presented a server certificate that matches the CN and SAN fields of the destination server, but it's signed by the CA you're creating. Some admins choose something descriptive like "SSL-TLS Inspection", while others will simply use something like "MyCompany Security Team".

 

It won't actually matter, it's really just a matter of preference. It shows up as the signer, so most users won't even see it unless they have a habit of checking the certificate chain. 

 

Edit: You'll want to include the "Host Name" option as well. Chrome 57 (I think) has deprecated the CN field. If your CA doesn't have a SAN (using the Host Name field) it may complain. I haven't tested it, but it's worth considering.

View solution in original post

3 REPLIES 3

L6 Presenter

In the Common Name field, enter the FQDN (recommended) or IP address of the interface where you will configure the service that will use this certificate. So FQDN of the inside interface (client facing interface) is the way to go. But for sure other members will give you a better advice as I am not a great fan of the SSL decryption 😄

L7 Applicator

Functionally, the CN won't really matter. The user is presented a server certificate that matches the CN and SAN fields of the destination server, but it's signed by the CA you're creating. Some admins choose something descriptive like "SSL-TLS Inspection", while others will simply use something like "MyCompany Security Team".

 

It won't actually matter, it's really just a matter of preference. It shows up as the signer, so most users won't even see it unless they have a habit of checking the certificate chain. 

 

Edit: You'll want to include the "Host Name" option as well. Chrome 57 (I think) has deprecated the CN field. If your CA doesn't have a SAN (using the Host Name field) it may complain. I haven't tested it, but it's worth considering.

SSL Certs are always being an interesting subject. Doesn't look complex but easy to get confused (at least for me :D)

Thanks for the explanation 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!