Friday, February 01, 2013

Solving: "The certificate's CN name does not match the passed value"

In mail clients like Windows Mail - if you get the error: "The certificate's CN name does not match the passed value", it is because you are connecting to a mail server whose SSL Certificate does not match its exact fully qualified domain name (FQDN).

This could be because of the following:

  1. The server address may be missing a single character.
    e.g. against [ notice the trailing period]

    Solution: add the missing period '.'
  2. Perhaps your mail server is simply redirected to the actual mail server via a CName DNS Record.
    e.g. ==>

    To check this, you can examine the DNS details for interconnecting server (here using a lookup service like MXToolBox CName lookup.

    You may also check the server certificate to find out the server to which the certificate has been issued to.
    You may use OpenSSL Client also with the following syntax:
    OpenSSL s_client -connect <RemoteHost>:<RemotePort>

    Solution: Connect directly to the final server and not the redirected CName address.

No comments: