Getting "Certificate name does not contain the expected fqdn"
search cancel

Getting "Certificate name does not contain the expected fqdn"

book

Article ID: 205098

calendar_today

Updated On:

Products

IT Management Suite Client Management Suite

Issue/Introduction

The customer is trying to change/update any of the options under Symantec Installation Manager (SIM) > Configure Settings > Configure NS Settings. When this page is trying to load, SIM is making a certificate validation:

but it fails with a message saying:

SSL is already configured with the 'smp-main.example.com" certificate in the IIS settings for selected web site and certificate 'smp-main.example.com" failed following validity tests:

Certificate name does not contain the expected fqdn

To correct this issue, you can:

Reissue a certificate from your Certificate Authority

Select a different certificate

Create a self-signed certificate

Environment

ITMS 8.x

Cause

The certificate in use in IIS was not the same as the one applied to the Agent Communication Profile. They had 2 different certificates for the same server name under the Personal Certificate Store. One was used in IIS and the other one was added to their Agent Communication Profile.

SIM passes the same name in both locations:

SSL is already configured with the '{0}' certificate in the IIS settings for the selected website and certificate '{0}'
 
and this is the name taken from the certificate. 
 
What is done during validation: We compare the host taken from subject CN and from Subject Alternative Name extension with the hostname passed by SIM. If the passed hostname can't be found in the certificate - you will get this error. 
The hostname that SIM is using is taken from the Altiris site (under Default Web Site).
When you use a certificate for SSL - subject (CN= part) and SAN (subject alternative names) extension are what plays a role. IIS takes the hostname from client call and checks that this name appears in subject or SAN. If not - certificate validation fails. In IE you will get a security warning about name mismatch but still can bypass this problem (you try to connect to one server but it is actually "another" server with a different name, which is a sign of a rogue redirection attempt). 

Resolution

Check the following:

  1. Make sure that the certificate in use for your 443 port binding in IIS has the proper names, especially that the certificate "subject" or "Subject Alternative Name" matches the actual SMP Server name
  2. Make sure that the certificate in use for the Default Web site for port 443 binding is also present in the Agent Communication Profile for your SMP (under SMP Console > Settings > All Settings > Agent/Plug-ins > Symantec Management Agent > Symantec Management Agent Communication Profile>Select SMP profile>Click "Edit" for "SSL certificates are defined for overall profile")

* If the DNS name is different than the FQDN, both names should be in the certificate. One in the Subject and the other in the Subject Alternative Name.

Powered by Wolken Software