Category: X.509 certificate usage or issue
The supplied certificate does not include the name of this machine in its list of valid names. Unless a proxy or load balancer that matches one of the names listed in this certificate is in use, clients and subordinate servers will not be able to communicate with this machine.
This warning is issued by fmos pki import-server-cert when the supplied server certificate does not include the fully-qualified domain name of the machine in its subject or subject alternative name fields.
Clients examine certificate presented by a server to determine if it is in fact the one they expected. If the name they use to locate the server does not match the certificate the server has presented, this may indicate that the communication is being intercepted. To prevent information disclosure to a malicious third party, clients will refuse to connect to servers that present certificates without the correct name.
In a multi-server FMOS ecosystem, subordinate servers and clients may not be able to connect to this machine if its certificate does not match its DNS name.
Certificates specify the name of the machine for which they certify the identity in one of two ways:
The value of the common name attribute of the distinguished name specified in subject field of the certificate
One or more items of type DNS name in the subject alternative name extension field of the certificate
If a certificate lists any names in its "subject alternative name" extension field, the value of the "subject" field is ignored.
To resolve this warning, the server certificate should be replaced with one that includes the fully-qualified domain name of the machine in its subject or subject alternative name fields.
If a load balancer, proxy, or other intermediate communication device is in use in the ecosystem, it may have a different name than this machine. If this is the case, and clients will be communicating with the intermediate device instead of this machine directly, the warning can be ignored safely.