Server Certificate-Based Decryption Rule Conditions
decryption rules can handle and decrypt encrypted traffic based on server certificate characteristics. You can configure decryption rules based on the following server certificate attributes:
-
Distinguished name conditions allow you to handle and inspect encrypted traffic based on the CA that issued a server certificate, or the certificate holder. Based on the issuer distinguished name, you can handle traffic based on the CA that issued a site’s server certificate.
-
Certificate conditions in decryption rules allow you to handle and inspect encrypted traffic based on the server certificate used to encrypt that traffic. You can configure a condition with one or more certificates; traffic matches the rule if the certificate matches any of the condition’s certificates.
-
Certificate status conditions in decryption rules allow you to handle and inspect encrypted traffic based on the status of the server certificate used to encrypt the traffic, including whether a certificate is valid, revoked, expired, not yet valid, self-signed, signed by a trusted CA, whether the Certificate Revocation List (CRL) is valid; whether the Server Name Indication (SNI) in the certificate matches the server in the request.
-
Cipher suite conditions in decryption rules allow you to handle and inspect encrypted traffic based on the cipher suite used to negotiate the encrypted session.
-
Session conditions in decryption rules allow you to inspect encrypted traffic based on the SSL or TLS version used to encrypt the traffic.
To detect multiple cipher suites in a rule, the certificate issuer, or the certificate holder, you can create reusable cipher suite list and distinguished name objects and add them to your rule. To detect the server certificate and certain certificate statuses, you must create external certificate and external CA objects for the rule.