Receive following message for SSL certificate: NET::ERR_CERT_COMMON_NAME_INVALID

Document ID : KB000013403
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

Receive message for SSL certificate NET::ERR_CERT_COMMON_NAME_INVALID

when accessing url

https://odmi1-zsys.ace.aaaclubnet.com:9606/ibm/console/logon.jsp

 

This server could not prove that it is odmi1-zsys.ace.aaaclubnet.com; its security certificate is from odmi1-zsys.ace.aaaclubnet.com,sysd.ace.aaaclubnet.com. This may be caused by a misconfiguration or an attacker intercepting your connection.

Windows does not have enough information to verify this certificate.

Issued to: odmi1-zsys.ace.aaaclubnet.com

Issued by: ACECAISSUE2

Valid from: 17/11/2017 to 17/11/2018

 

The reason the customer has both odmi1-zsys.ace.aaaclubnet.com and sysd.ace.aaaclubnet.com in DOMAIN name in the certificate is users can use either one in the url to access.

Answer:

Top Secret or the other security software (ACF2 , RACF) do not support genning multiple altname segment for a digital certificate. Other clients that needed this functionality needed to go to an outside CA to obtain the certificate.

Once the CA supplied the certificate they were then able to add it to Top Secret. (CA = Certificate Authority)

 

Genning a certificate request via GSKKYMAN with two domains.

These are the steps:

 

1. GSKKYMAN - gen a request with two domains

2. export the request PK10 to MVS

3. Use the PK10 as input for a GENCERT - will need a signing certificate

TSS GENCERT(CERTSITE) DIGICERT(XXXXX) DCDSN(PK10 file) signwith(xxxx,yyyy)

You should now have a certificate with two domains.

 4. Add the certificate to the keyring, both the new one (two domain) and the signer.