Distinguished Name

Each distinguished name object represents the distinguished name for a public key certificate’s subject or issuer. You can use distinguished name objects and groups in TLS/SSL rules to control encrypted traffic based on whether the client and server negotiated the TLS/SSL session using a server certificate with the distinguished name as subject or issuer.

(A distinguished name group is a named collection of existing distinguished name objects.)

The distinguished name can consist of country code, common name, organization, and organizational unit, but typically consists of a common name only. For example, the common name in the certificate for https://www.cisco.com is cisco.com. (However, it's not always this simple; Distinguished Name (DN) Rule Conditions shows how to find common names.) The certificate can contain multiple Subject Alternative Names (SANs) you can use as DNs in a rule condition. For detailed information about SANs, see RFC 5280, section 4.2.1.6.

The format of a distinguished name object that references a common name is CN=name. If you add a DN rule condition without CN=, the system prepends CN= before saving the object.

As discussed further in Distinguished Name (DN) Rule Conditions, the system uses Server Name Indication (SNI) to match the DN in the TLS/SSL rule whenever possible.

You can also add a distinguished name with one of each of the attributes listed in the following table, separated by commas.

Distinguished name attributes

Attribute

Description

Allowed Values

C

Country Code

two alphabetic characters

CN

Common Name

up to 64 alphanumeric, backslash (/), hyphen (-), quotation ("), or asterisk (*) characters, or spaces

O

Organization

up to 64 alphanumeric, backslash (/), hyphen (-), quotation ("), or asterisk (*) characters, or spaces

OU

Organizational Unit

up to 64 alphanumeric, backslash (/), hyphen (-), quotation ("), or asterisk (*) characters, or spaces

Important notes about DN rule conditions

  • The first time the system detects an encrypted session to a new server, DN data is not available for ClientHello processing, which might result in an undecrypted first session.

    If the server requests TLS 1.3, the setting for TLS server identity discovery can help by making sure the server certificate is known before making decryption policy decisions. For more information, see Access Control Policy Advanced Settings.

  • You cannot configure a distinguished name condition if you also choose the Decrypt - Known Key action. Because that action requires you to choose a server certificate to decrypt traffic, the certificate already matches the traffic.

Wildcard examples

You can define one or more asterisks (*) as wildcards in an attribute. In a common name attribute, you can define one or more asterisks per domain name label. wildcards match only in that label, but you can define multiple labels with wildcards. See the following table for examples.

Common Name attribute wildcard examples

Attribute

Matches

Does Not Match

CN=*ample.com

example.com

mail.example.com

example.text.com

ampleexam.com

CN=exam*.com

example.com

mail.example.com

example.text.com

ampleexam.com

CN=*xamp*.com

example.com

mail.example.com

example.text.com

ampleexam.com

CN=*.example.com

mail.example.com

www.myhost.example.com

example.com

example.text.com

ampleexam.com

Note

The DN object CN=amp.cisco.com would not match a CN like CN=auth.amp.cisco.com, which is why we recommend wildcards in these cases.

For more information and examples, see Distinguished Name (DN) Rule Conditions.