The Certificate Name Does Not Match the Hostname
Updated: August 10, 2009
Applies To: Operations Manager 2007 R2
Cross Platform Extensions uses an SSL Certificate for WS-Management Communication between the Operations Manager management server and the remote UNIX or Linux computer. For this certificate to be valid, the common name (CN) that is used in the certificate must match the fully qualified domain name (FQDN) that is resolved by Operations Manager. If the CN does not match, you will see the following error when you run the Discovery Wizard:
The SSL certificate contains a common name (CN) that does not match the hostname
You can view the basic details of the certificate on the UNIX or Linux computer by entering the following command:
openssl x509 -noout -in /etc/opt/microsoft/scx/ssl/scx.pem -subject -issuer -dates
When you do this, you will see output that is similar to the following:
subject= /DC=name/DC=newdomain/CN=newhostname/CN=newhostname.newdomain.name issuer= /DC=name/DC=newdomain/CN=newhostname/CN=newhostname.newdomain.name notBefore=Mar 25 05:21:18 2008 GMT notAfter=Mar 20 05:21:18 2029 GMT
Validate the hostnames and dates and ensure that they match the name being resolved by the Operations Manager management server.
If the hostnames do not match, use one of the following actions to resolve the issue:
If the UNIX or Linux hostname is correct but the Operations Manager management server is resolving it incorrectly, either modify the DNS entry to match the correct FQDN or add an entry to the hosts file on the Operations Manager server.
If the UNIX or Linux hostname is incorrect, do one of the following:
Change the hostname on the UNIX or Linux host to the correct one and create a new certificate.
Create a new certificate with the desired hostname.
- Change the hostname on the UNIX or Linux host to the correct one and create a new certificate.
To Change the Name on the Certificate:
If the certificate was created with an incorrect name, you can change the host name and re-create the certificate and private key. To do this, run the following command on the UNIX or Linux computer:
/opt/microsoft/scx/bin/tools/scxsslconfig -f -v
The –f option forces the files in /etc/opt/microsoft/scx/ssl to be overwritten.
You can also change the hostname and domain name on the certificate by using the –h and –d switches, as in the following example:
/opt/microsoft/scx/bin/tools/scxsslconfig -f -h <hostname> -d <domain.name>
Restart the agent by running the following command:
To add an entry to the hosts file:
If the FQDN is not in Reverse DNS, you can add an entry to the hosts file located on the management server to provide name resolution. The hosts file is located in the \Windows\System32\Drivers\etc folder. An entry in the hosts file is a combination of the IP address and the FQDN.
For example, to add an entry for the host named “newhostname.newdomain.name” with an IP address of 192.168.1.1, add the following to the end of the hosts file: