In the ever-evolving landscape of secure connectivity, Microsoft’s Global Secure Access (GSA) stands out as a powerful solution for Zero Trust Network Access. With its promise of seamless, policy-driven access control and deep traffic inspection, it’s no wonder many enterprises are adopting it as part of their SASE strategy.
But what happens when everything is configured by the book—and yet, TLS inspection simply doesn’t work?
The Setup: Doing Everything Right
You’ve followed Microsoft’s documentation meticulously:
- Created a Certificate Signing Request (CSR).
- Uploaded the TLS inspection certificate to the GSA portal.
- Enabled TLS inspection policies.
- Verified that the inspection profile is applied to the correct traffic categories.
And yet, despite all this, traffic is being bypassed. No inspection. No alerts. Just silence.
The Silent Bypass: A Hidden Pitfall in Certificate Extensions
One of the most overlooked—but critical—reasons TLS inspection may silently fail in Microsoft Global Secure Access is due to incomplete or incorrect certificate extensions in the CA-signed certificate.
Microsoft’s documentation typically specifies:
basicConstraints = critical, CA:TRUE
However, in practice, this is not sufficient for TLS inspection to function correctly. The certificate must also include the following key usage extensions:
keyUsage = critical, keyCertSign, cRLSign
So the full set of required extensions should be:
basicConstraints = critical, CA:TRUE
keyUsage = critical, keyCertSign, cRLSign
Without these, the certificate may be accepted by the portal, but TLS inspection will be silently bypassed, leaving your traffic uninspected and your policies ineffective.
Why This Matters
This subtle misconfiguration can be incredibly frustrating. You’ve done everything right—generated the CSR, uploaded the certificate, applied the policies—and yet, nothing happens. No errors. No logs. Just uninspected traffic.
By ensuring your CA includes the correct key usage and basic constraints, you can avoid this silent failure and ensure your TLS inspection policies are enforced as intended.
