A customer sees the following in CEM agent logs while testing a new CEM implementation:

Operation 'CEM: Connect' failed. 
Protocol: HTTPS 
Original host: <NotificationServer>.org:443
Real host: <InternetGateway>.org:443

Error type: TLS Handshake error 
Error code: The certificate chain was issued by an authority that is not trusted (0x80090325) 
Error note: 'InternetGateway.org' server's certificate is not valid, thumbprint mismatch 
Gateway HTTPS connection info: 
   Server certificate: 
      Serial number: [Serial number here] 
      Thumbprint: [Thumbprint here]

In at least one occurrence of this issue, the thumbprint listed in the CEM agent error doesn't/didn't match any thumbprints in the customer's environment

Another possible symptom is that internal agents can connect through the gateway while on the internal network

DNS name resolution problem. The customer had an invalid public IP assigned to the Internet Gateway in external DNS. While connected internally, agents were able to resolve the Internet Gateway name to the correct IP.

Since the public IP is not resolving correctly, the certificate we tried to verify doesn't actually exist on the Internet Gateway. The agent was comparing an expected certificate thumbprint to the thumbprint of some other publicly available device on the internet.

Update external/internal DNS records to resolve the correct public IP address for the Internet Gateway