7,023 questions
What's in the subject alternative name on the certificate?
From the help for Test-Certificate:
If the DNSName parameter is used, then the DNS subject alternative name is used to verify SSL policy.
The certificate's CN name does not match the passed value
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 6%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESN%3C/text%3E%3C/svg%3E)
Sam Na
46
Reputation points
Hi,
We noticed some issues when it comes to EAP-TLS communications and when we ran the Powershell command "Get-ChildItem -Path Cert:\localMachine\My | Test-Certificate -Policy SSL -DNSName "dns=contoso.com" on the client computer, the computer certificate showed " The certificate's CN name does not match the passed value " error.
The subject certificate was issued by Certificate Authority using the computer template.
Not sure where to look for exactly as the certificate shows the CN as the DNS name of the PC that seems to be correct.
Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Client for IT Pros | Devices and deployment | Configure application groups
Windows for business | Windows Server | User experience | PowerShell
Windows for business | Windows Server | Devices and deployment | Configure application groups
2 answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 74%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERM%3C/text%3E%3C/svg%3E)
Rich Matheisen 47,901 Reputation points2022-02-06T20:41:58.673+00:00 -
Sam Na 46 Reputation points
2022-02-06T20:45:21.787+00:00 ُSubject Alternative Name(computer certificate) is DNS which is the correct name of the hostname.contoso.com Not sure why its failing thou!!
-
Rich Matheisen 47,901 Reputation points
2022-02-06T20:57:09.277+00:00 If what you've posted is correct, it's failing because the -DNSName parameter value ("dns=contoso.com") isn't the same as "hostname.contoso.com".
I haven't had to deal with certs for the last seven years, but if I'm recallng correctly the value of the -DNSNAME in the Test-Certificate should just be the host name. E.g. "hostname.contoso.com".
-
Sam Na 46 Reputation points
2022-02-06T21:44:07.607+00:00 Changing to Get-ChildItem -Path Cert:\localMachine\My | Test-Certificate -Policy SSL -DNSName "hostname.contoso.com" shows True instead of failed. (not sure why Microsoft's example shows a dns=contosoc.com!!! here: https://learn.microsoft.com/en-us/powershell/module/pki/test-certificate?view=windowsserver2022-ps )
I guess we have to believe that the Computer certificate has no issues and the root cause of the EAP-TLS timeout is elsewhere. (we get this error when a client tries to connect to Aruba ClearPass using EAP-TLS with error 9002)
Sign in to comment -
-
Vadims Podāns 9,186 Reputation points MVP2022-02-07T11:08:00.547+00:00 The certificate's CN name does not match the passed value " error.
that's because client certificate is not valid/responsible for entire domain, it is valid for particular client host only.
not sure why Microsoft's example shows a dns=contosoc.com!!!
because it is an example. You have to insert your desired name which matches the client host FQDN.
This means that your issues with RADIUS lie elsewhere. It would be better if you start a new thread and provide RADIUS configuration and relevant logs with error. Either, client and/or RADIUS certificate fails validation.