No subject alternative name matching found for SSL cert even though common name is correct in Native Launcher

Hi everyone,
We are enabling SSL/TLS on our Gateway. We have a internal CA-provided cert and the entire chain has been added to the Gateway following IA's documentation. Our CSR and assigned cert includes the following:
Common Name: FQDN - something like ignition25.domain.global
SAN: ignition25
SAN: 192.168.1.125

When I use the Native Launcher and try to add a Gateway with FQDN, I get the following error when clicking "Trust" saying there's no subject alternative DNS name matching ignition25.domain.global

image456×300 10.8 KB

The .pem file gets added to .ignition\clientlauncher-data\certificates

Web browsing to https://ignition25.domain.global:8043 works fine
Web browsing to https://ignition25:8043 works fine

I have tried various Launcher versions from 1.1.11 to 1.1.48 and all exhibit the same behavior.
If I add the Gateway in the Launcher with only the hostname https://ignition25:8043 it works fine.
Why is the Native Launcher not using the Common Name for cert validation, and instead looking inside of the SAN? I can't find any documentation anywhere that says a SAN "must" include the Common Name/FQDN

This has been common practice internet-wide for years now. I'll see if I can find some docs for you, but you need to put all of the domain names under SAN entries. Using the CN has been a deprecated practice for a while.

Thanks @Kevin.Herron - I found some info online where it was recommended but didn't know it was required. I'll add it. Thanks for the quick response

This states that if a CN is present, it must be an exact copy of one of the SAN entries, which implies your FQDN and other hostnames must be in the SAN entries, and the CN is optional.

Got pulled into a meeting, can't dig around any more right now.

Good enough for me. Thanks again