License: Any
Distinguished name conditions in SSL rules allow you to handle and inspect encrypted traffic based on the CA that issued a
server certificate, or the certificate holder. Based on the issuer distinguished name, you can handle traffic based on the
CA that issued a site’s server certificate. Because the subject distinguished name contains the website’s URL, you can also
handle encrypted traffic to and from specific URLs.
When configuring the rule condition, you can manually specify a literal value, reference a distinguished name object, or reference
a distinguished name group containing multiple objects.
Note |
You cannot configure a distinguished name condition if you also select the Decrypt - Known Key action. Because that action requires you to select a server certificate to decrypt traffic, the certificate already matches
the traffic. See Decrypt Actions: Decrypting Traffic for Further Inspection for more information.
|
You can match against multiple subject and issuer distinguished names in a single certificate status rule condition; only
one common or distinguished name needs to match to match the rule.
If you add a distinguished name manually, it can contain the common name attribute (CN). If you add a common name without
CN=
then the module prepends
CN=
before saving the object.
You can also add a distinguished name with one of each attribute listed in the following table, separated by commas.
Table 2. Distinguished Name Attributes
Attribute
|
Description
|
Allowed Values
|
C
|
Country Code
|
two alphabetic characters
|
CN
|
Common Name
|
up to 64 alphanumeric, backslash (\), hyphen (-), quotation ("), asterisk (*), period (.), or space characters
|
O
|
Organization
|
OU
|
Organizational Unit
|
The following graphic illustrates a distinguished name rule condition searching for certificates issued to goodbakery.example.com
or issued by goodca.example.com. Traffic encrypted with these certificates is allowed, subject to access control.
The following graphic illustrates a distinguished name rule condition searching for certificates issued to badbakery.example.com
and associated domains, or certificates issued by badca.example.com. Traffic encrypted with these certificates is decrypted
using a re-signed certificate.
You can add a maximum of 50 literal values and distinguished name objects to the Subject DNs, and 50 literal values and distinguished name objects to the Issuer DNs, in a single DN condition.
The ASA FirePOWER module-provided DN object group, Sourcefire Undecryptable Sites, contains websites whose traffic the module
cannot decrypt. You can add this group to a DN condition to block or not decrypt traffic to or from these websites, without
wasting system resources attempting to decrypt that traffic. You can modify individual entries in the group. You cannot delete
the group. System updates can modify the entries on this list, but the module preserves user changes.
The first time the system detects an encrypted session to a new server, DN data is not available for ClientHello processing,
which can result in an undecrypted first session. After the initial session, the managed device caches data from the server
Certificate message. For subsequent connections from the same client, the system can match the ClientHello message conclusively
to rules with DN conditions and process the message to maximize decryption potential.
To inspect encrypted traffic based on certificate subject or issuer distinguished name: