Certificate for SSL decryption policy on NGFW

I am trying to understand SSL decryption before planning to implement it in the network.

For the SSL forward proxy, as I read we will be installing some CA certificate or similar on the NGFW in order to use it while intercepting the connection.

Now if I do so how can I avoid any error with certificate, even if I put the certificate in my trust store I might see the error.

For example to make you understand:

I have installed or created a certificate on my NGFW for SSL purpose, and have even installed in my end machine trust store but won't it cause error because parameter like Subject alternative name or else Subject name where we define common name will not match the domain/url we are trying to reach.

From my machine I am trying to reach let say "www.abc.com" or any other site. Here the certificate I am use might have different information under "Subject Name" and not the URL I am trying to visit. So this would lead to certificate error due to the field mismatch.

Just want to understand on SSL decryption in complete detail and how we handle certificate related issues.


The certificate provided by the SSL intercepting firewall is dynamically generated. It matches the expectation of the client, i.e. matches the expected hostname etc. The main difference compared to the original server certificate is that it is not issued by the original (publicly trusted) CA but by the CA on the firewall. Since this CA is trusted by the client and since the information in the certificate match the clients expectations, the certificate issued on the firewall will be trusted by the client.


I want to enhance Steffen Ullrich's answer by speaking a word of warning: You are effectively breaking the security of the end-to-end encryption. While this is the only way to allow the firewall to inspect the content and filter out possibly malicious content, it comes at a great cost:
You are deploying a working man-in-the-middle "attack" for all of your customers SSL connections. If your firewall ever gets compromised, all your SSL traffic is readable by the attacker, without your clients noticing it.