When the Umbrella Secure Web Gateway (SWG) proxy is configured to perform HTTPS Inspection, a user may receive a 516 Upstream Certificate CN Mismatch error page when browsing to a website using an HTTPS URL.
This error does not indicate a problem with the Common Name (CN) attribute in the website certificate's Subject field. Rather, the issue pertains to the DNS Name attribute in the Subject Alternative Names (SAN) extension of the website's certificate.
Certificate identity mechanics
When requesting an HTTPS URL, a web client sends the domain name in the URL to the web server via the Server Name Indication (SNI) extension in the Client Hello message of the TLS negotiation. The web server uses the SNI to identify the correct server certificate for the requested website, since a server often hosts multiple websites and can have different certificates for some or all of the sites.
When the certificate is received by the web client, the client will verify that the the certificate is the correct certificate for the request by checking for a match between the requested domain name and the domain name(s) in the DNS name attributes of the certificate's Subject Alternative Names extension. The image below shows the SANs for a website's certificate.
This web server will return this certificate in response to requests with the following SNI values:
as well as others not visible in the Field Value panel of this screenshot.
Certificate identity errors
When a web client receives a server certificate, if none of the SAN DNS Names match the domain name in the requested URL, then the web client will display an error to the user. The image below shows the "NET::ERR_CERT_COMMON_NAME_INVALID" interstitial page generated by the Chrome browser.
In the above example, this certificate contains a wildcard SAN DNS Name, "*.badssl.com". The * wildcard can only represent a single name (with no included dots/periods) such as "www" or "host". The client requested the URL "https://wrong.host.badssl.com". Since the domain name "wrong.host.badssl.com" does not match the wildcard SAN DNS Name, and the certificate does not have a SAN DNS Name with the value "wrong.host.badssl.com", the user is presented with the above error.
Resolutions and workarounds
To resolve this issue, access the server with a domain name that matches one of the SAN DNS Names in the certificate. Alternatively, the certificate can be re-issued to include the erroring domain name in one of the SAN DNS Names.
As a work-around, the erroring domain name of the web site can be added to a Selective Decryption List for the Secure Web Gateway proxy or to a Destination List in the Intelligent Proxy. Apply the list to the appropriate Web policy Ruleset Setting (Secure Web Gateway) or DNS policy Allow List (Intelligent Proxy). This will prevent the request to the website from being decrypted by the proxy, and thus will prevent the proxy from displaying a 516 error page.
Note: Use of both the Secure Web Gateway proxy and Intelligent Proxy is unsupported. Only one proxy technology can be employed per organization. Organizations which have subscriptions for Secure Web Gateway should use SWG and not use Intelligent Proxy.
Common Name is deprecated
The Subject Alternative Name extension is a newer mechanism for specifying certificate identity. The older mechanism used the Common Name (CN) attribute in the certificate's Subject field. This mechanism has been deprecated in modern web clients, but error messages often continue to reference the deprecated mechanism, such as "NET::ERR_CERT_COMMON_NAME_INVALID" in Chrome.
Similarly, Umbrella SWG will display a 516 error page with the following text:
when the SWG proxy requests a URL from a web server, and a SAN DNS Name mismatch occurs. Cisco Umbrella will update this text at a future date to reflect the current behavior.