The way in which the agent verifies that the server name matches the certificate depends on the server information that the server certificate provides.

  • If there are SAN DNS entries in the certificate, these are compared to the server address used by the agent, and the two must match.
  • If there are no SAN DNS entries, the server address used by the agent is verified against the Common Name (CN) in the server certificate, and the two must match.

Mismatches in address and name format between the agent and the server certificate fail, even if the name resolves to the IP address. For example, is the agent is using an IPv6 address and the SAN is not, verification fails. You can correct this problem by adding an additional address (the IPv6 address) to the SAN, in the format DNS=[IPv6].