diff --git a/BUILD b/BUILD
index 8ee5f634..21782409 100644
--- a/BUILD
+++ b/BUILD
@@ -232,6 +232,7 @@ proto_library(
         "//envoy/extensions/key_value/file_based/v3:pkg",
         "//envoy/extensions/matching/common_inputs/environment_variable/v3:pkg",
         "//envoy/extensions/matching/common_inputs/network/v3:pkg",
+        "//envoy/extensions/matching/common_inputs/ssl/v3:pkg",
         "//envoy/extensions/matching/input_matchers/consistent_hashing/v3:pkg",
         "//envoy/extensions/matching/input_matchers/ip/v3:pkg",
         "//envoy/extensions/network/dns_resolver/apple/v3:pkg",
diff --git a/envoy/extensions/matching/common_inputs/ssl/v3/BUILD b/envoy/extensions/matching/common_inputs/ssl/v3/BUILD
new file mode 100644
index 00000000..ee92fb65
--- /dev/null
+++ b/envoy/extensions/matching/common_inputs/ssl/v3/BUILD
@@ -0,0 +1,9 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = ["@com_github_cncf_udpa//udpa/annotations:pkg"],
+)
diff --git a/envoy/extensions/matching/common_inputs/ssl/v3/ssl_inputs.proto b/envoy/extensions/matching/common_inputs/ssl/v3/ssl_inputs.proto
new file mode 100644
index 00000000..a1bf56a2
--- /dev/null
+++ b/envoy/extensions/matching/common_inputs/ssl/v3/ssl_inputs.proto
@@ -0,0 +1,29 @@
+syntax = "proto3";
+
+package envoy.extensions.matching.common_inputs.ssl.v3;
+
+import "udpa/annotations/status.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.matching.common_inputs.ssl.v3";
+option java_outer_classname = "SslInputsProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/matching/common_inputs/ssl/v3;sslv3";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: Common SSL Matching Inputs]
+
+// List of comma-delimited URIs in the SAN field of the peer certificate for a downstream.
+// [#extension: envoy.matching.inputs.uri_san]
+message UriSanInput {
+}
+
+// List of comma-delimited DNS entries in the SAN field of the peer certificate for a downstream.
+// [#extension: envoy.matching.inputs.dns_san]
+message DnsSanInput {
+}
+
+// Input that matches the subject field of the peer certificate in RFC 2253 format for a
+// downstream.
+// [#extension: envoy.matching.inputs.subject]
+message SubjectInput {
+}
diff --git a/versioning/BUILD b/versioning/BUILD
index 3f168ab3..4e40d0c7 100644
--- a/versioning/BUILD
+++ b/versioning/BUILD
@@ -173,6 +173,7 @@ proto_library(
         "//envoy/extensions/load_balancing_policies/wrr_locality/v3:pkg",
         "//envoy/extensions/matching/common_inputs/environment_variable/v3:pkg",
         "//envoy/extensions/matching/common_inputs/network/v3:pkg",
+        "//envoy/extensions/matching/common_inputs/ssl/v3:pkg",
         "//envoy/extensions/matching/input_matchers/consistent_hashing/v3:pkg",
         "//envoy/extensions/matching/input_matchers/ip/v3:pkg",
         "//envoy/extensions/network/dns_resolver/apple/v3:pkg",