The SSL certificate won't validate properly because the certificate didn't include any subject alternative names. Adding SAN (Subject Alternative Name” into “Additional Attributes” field on a Microsoft Certificate Authority certificate request form does not generate a certificate with a SAN entry.
Please review the this article that describes the problem and solution. Essentially, you must run a script to correct the issue that the issuance policy of the Microsoft CA is not configured to accept the Subject Alternative Name(s) attribute via the CA Web enrollment page.
Then, when using the web certsrv, add this under the attributes:
san:dns=your.fqdn.xxx
Another possible solution is to pass the config file below (include your information) to openssl.
[ req ]
default_bits = 2048
prompt = no
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
countryName = US
stateOrProvinceName = XXXX
localityName = XXXX
organizationName = XXXXXXX
commonName = your.fqdn.com
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = your.fqdn.com
Then, this when doing the CSR (Certificate Signing Request):
openssl req -new -key nagiosxi.key -out nagiosxi.csr -config thefile
Article ID: 887
Created On: Wed, Jan 20, 2021 at 9:38 AM
Last Updated On: Wed, Jan 20, 2021 at 10:50 AM
Authored by: rspielman
Online URL: https://support.nagios.com/kb/article/ssl-certificate-does-not-validate-properly-887.html