How to configure email on CA Service Desk Manager (CA SDM) using the TLS option, when you get the following errors: Error (15) Failed to find the CA certificate / Error (13) Certificate name does not match?

Document ID : KB000017377
Last Modified Date : 14/02/2018
Show Technical Document Details

 

Introduction: 

 This document provides some insight into what CA SDM's mail programs expect to be able to connect to a mail server over TLS protocol. This document assumes that you were provided with a valid SSL Certificate by your mail Administrator.

 Question: 

How to configure email on CA SDM using the TLS option, when you get the following errors?

 Error (15) Failed to find the CA certificate

 Error (13) Certificate name does not match?

 Environment:  

 • CA Service Desk Manager 12.9

 Answer: 

 Normally an SSL Certificate has a Certificate Path, which starts with the Subject certificate (the Subject to which the certificate was issued TO) and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted Certification Authority (CA).

 And CA SDM's mail programs expect to find ALL such certificates (not just the one that was Issued To) to be available in the same "file" that it would be referring to. If it does not find one or more of such intermediate certificates in the file it is configured to use, you would see errors like below in the CA SDM stdlogs:

 Error (15) Failed to find the CA certificate

 Error (13) Certificate name does not match 

 Here's an example certificate for smtp.gmail.com:

NOTE: Gmail is not an officially certified mail server, but we're using the certificate name as an example as it is a publicly available certificate for knowledge purposes. Refer to CA SDM Compatibility Matrix to see the latest mail servers supported/certified.

 

  1. SMTP.gmail.com certificate properties:
     
          1.jpg
  2. For CA SDM to identify the certificate for smtp.gmail.com, saving just that certificate (to base 64 format) is not enough. We need all the three certs, smtp.gmail.com, Google Internet Authorigy G2 and GeoTrust Global CA, all the three certificates "appended" together in one file.
  3. The order of the certificates in the file does not matter.
  4. To save each such certificate, we need to export each cert from the above cert to an individual file (in base 64format) and then append them together. For example, click on the Google Internet Authority certificate --> click View Details --> go to Details tab and then click Copy to File, Save it in base 64format to a different file.
     
    2.jpg
  5. Repeat the same for GeoTrust Global CA certificate.
  6. Now we need to append all the 3 files together into one, so it would look like:
    -----BEGIN CERTIFICATE-----
    ..
    ..blahblah Real SMTP Cert...
    ..
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    ..
    ..blahblah cert chain cert1...
    ..
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    ..
    ..blahblah cert chain cert2...
    ..
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    ..
    ..blahblah ROOT CA cert ...
    ..
    -----END CERTIFICATE-----
  7. Save this file and use this file as the certificate file when configuring the CA SDM mail options.