HTTPS Inspection and MAC OS X Clients

Hi together,

we want to enable HTTPS Inspection at our TMG Cluster....but the counterpart is, Mac OS X Clients wont be able to connect to SSL Sites after we activate it.

So i am aware of this blogpost http://blogs.technet.com/b/isablog/archive/2012/04/20/mac-os-clients-fail-to-access-ssl-websites-after-you-enable-https-inspection-in-forefront-tmg-2010.aspx

We had a certificate generated by our own internal CA, generated like described in this blogpost http://blogs.technet.com/b/isablog/archive/2014/08/29/how-to-create-a-cng-httpsi-cert-using-a-2008r2-ca.aspx

After we faced the problems with os x we didnt do more research and renewed the certificate with the options of the second blogpost but as Windows Server 2008 CA Cert.

But still, MAC OS X (Safari) cant reach HTTPS Sites, Firefox on MAC OS X works fine.

I`ve downloaded the certificates to check if it is ASCII or Unicode...here are the results:

Aussteller:
    CN=TMG HTTPS CNG Inspection
    [0,0]: CERT_RDN_PRINTABLE_STRING, Länge = 40 (40/64 Zeichen)
        2.5.4.3 Allgemeiner Name (CN)="TMG HTTPS CNG Inspection"
[...]

Antragsteller:
    CN=*.facebook.com
    O=Facebook, Inc.
    L=Menlo Park
    S=CA
    C=US
    [0,0]: CERT_RDN_PRINTABLE_STRING, Länge = 2 (2/2 Zeichen)
        2.5.4.6 Land/Region (C)="US"
        55 53                                              US
        55 00 53 00                                        U.S.

    [1,0]: CERT_RDN_PRINTABLE_STRING, Länge = 2 (2/128 Zeichen)
        2.5.4.8 Bundesland oder Kanton (S)="CA"
        43 41                                              CA
        43 00 41 00                                        C.A.

    [2,0]: CERT_RDN_PRINTABLE_STRING, Länge = 10 (10/128 Zeichen)
        2.5.4.7 Ort (L)="Menlo Park"
        4d 65 6e 6c 6f 20 50 61  72 6b                     Menlo Park
        4d 00 65 00 6e 00 6c 00  6f 00 20 00 50 00 61 00   M.e.n.l.o. .P.a.
        72 00 6b 00                                        r.k.

    [3,0]: CERT_RDN_PRINTABLE_STRING, Länge = 14 (14/64 Zeichen)
        2.5.4.10 Organisation (O)="Facebook, Inc."
        46 61 63 65 62 6f 6f 6b  2c 20 49 6e 63 2e         Facebook, Inc.
        46 00 61 00 63 00 65 00  62 00 6f 00 6f 00 6b 00   F.a.c.e.b.o.o.k.
        2c 00 20 00 49 00 6e 00  63 00 2e 00               ,. .I.n.c...

    [4,0]: CERT_RDN_UTF8_STRING, Länge = 14 (14/64 Zeichen)
        2.5.4.3 Allgemeiner Name (CN)="*.facebook.com"

So i think the problem is the last one while this is still as utf8 issued...but why? Shouldn`t this also a printable/ASCII one? How can i fix it?

The template which generated the TMG Certificate has the following settings:

General
Validity: 10 Years
Renewal period: 2 Years

Issuance Requirements
-

Suspended Templates
-

Extensions
Application Policies: Code Signing (Codesignatur), Private Key Archival (Archivierung des privaten Schlüssels), Server Authentication (Serverauthentifizierung)
Basic Constraints: everything is checked
Certificate Template Information: -
Key Usage: Digital signature, Signature is proof of origina (nonrepudiation), Certificate signing, CRL signing, Make this Extension critical

Have you any ideas why i still get utf8 subjects?

Thanks for your help in advance