SAC administrator added a new Web Application accelerating Cyberark back end Web server.

Initially launched with Luminatesec domain and worked fine for months

Switched to custom domain (e.g. cyberarc.broadcom.net) with appropriate DNS CNAME changes and when users accessed the site, they were given a certificate warning.

Server certificate subject name reported as "sni-support-required-for-valid-ssl" and not cyberarc.broadcom.net.

SAC Web Application.

Custom DNS name.

SAC certificate service checks the DNS host resolution prior to initiating the certificate emulation process. In our case, the certificate service is able to resolve pam.broadcom.net from Broadcom’s internal DNS, sees only the A record of this FQDN (not CNAME) and errors out before going to the certificate emulation process.

SAC update June 5 '23 addresses this.

Added a fallback to check the FQDN with some global dns server such as 1.1.1.1 or route53, before trying to emulate the certificate.