DLG_FLAGS_SEC_CERT_CN_INVALID

Document ID : KB000071639
Last Modified Date : 22/02/2018
Show Technical Document Details
Issue:
Following is what is displayed in IE11 and breaks the normal flow of Federation/Authentication.

This site is not secure
This might mean that someone's trying to fool you or steal any info you send to the server. You should close this site immediately.
The hostname in the websites's security certificate differs from the website you are trying to visit.
Error Code: DLG_FLAGS_SEC_CERT_CN_INVALID

DLG_FLAGS_SEC_CERT_CN_INVALID

 
Environment:
IDP: 3rd Party
SP: PAM 3.1.1
Browser: Chrome, IE11
 
Cause:
This certificate error message is misleading. It gives impression that the CN value of the certificate was invalid.
The CN value did not include any invalid characters. It had hyphen in the name but that is legal character.

This certificate in question passes all 3 criteria.
1. Does the CN(or SAN) value match the FQHN/DNS of the server? Yes
2. Is the Certificate Trusted? Yes
3. Is the Certificate Valid? Yes

From research this error can occur when Self-Signed Certificate is used.
Resolution:
Deployed on PAM a new certificate that was issued by a Certificate Authority.
This is not specific to PAM, when IE meets a self-signed certificate, you may encounter this error.
 
Additional Information:
https://support.microsoft.com/en-nz/help/931850/there-is-a-problem-with-this-website-s-security-certificate-when-you-t