Support for wildcard and regular expressions in Subject CN field for certificate tagging rule 7.2.3

The Subject CN field available when configuring a certificate Zero Trust tagging rule in EMS now supports wildcards, regular expressions, and case insensitivity. The Subject CN field is also optional. This allows the following benefits:

• Use a single Zero trust tag for endpoints that have a certificate issued by Active Directory, which usually has hostnames as the subject CN
• Use a single Zero trust tag for endpoints that have user-based certificates, which use usernames as the subject CN, by using regular expressions
• Since the subject CN field is optional, EMS can use the subject alternative name in the certificate.

To configure this feature:

1. In EMS, go to Zero Trust Tags > Zero Trust Tagging Rules.
2. Click Add.
3. Click Add Rule.
4. In the OS field, select Windows, Mac, or Linux.
5. From the Rule Type dropdown list, select Certificate.
6. From the dropdown list, select Simple, Regex, or Wildcard, then enter the desired value in the field.
7. In the Issuer CN field, enter the desired value. This field does not support case insensitivity, regular expressions, or wildcards. You must enter it exactly as it is on the installed certificate.
8. Click Save.

   

The following provides examples of use cases for this feature:

Use case	Certificate subject CN	Regular expressions to configure in EMS Subject CN field
Certificate subject CN contains the following: Username User ID Department	Subject CN = David-200999.Marketing.fortiClient.fortinet.local David is the username. 200999 is the user ID. Marketing is the department.	\b\w+\b\-\d{6}\.\w+\.fortiClient\.fortinet\.local
Certificate subject CN contains the following: Office location Device owner ID Host asset number	Subject CN = SEA-200998-Desktop1.fortinet.local SEA is the office location. 200998 is the device owner ID. Desktop1 is the host asset number.	SEA\-\d{6}\-Des\w{4}\d(\..+)+