Ensure that the certificates for Identity Server and the Embedded Service Provider match the hostnames defined in the metadata URL (see DNS Name Resolution).
When Identity Server and Access Gateway are enabled for HTTPS, all communication to these devices requires that the devices send back a server certificate. Not only must the certificate be assigned to the appropriate device, but the subject name of the device certificate must match the hostname of the device it is assigned to.
To verify the certificate name of Identity Server certificate:
Click Devices > Identity Servers > Edit.
Click the SSL Certificate icon.
The SSL Connector keystore is displayed.
Verify that the subject name of the certificate matches the DNS name of Identity Server.
If the names match, a certificate name mismatch is not causing your problem.
If the names do not match, you need to either create a certificate that matches or import one that matches. For information about how to create a certificate for Identity Server, see Section 20.0, Enabling SSL Communication.
To verify the certificate name of Access Gateway certificate:
Click Devices > Access Gateways > Edit > [Name of Reverse Proxy].
Read the alias name of the server certificate, then click the Server Certificate icon.
Verify that the Subject name of the server certificate matches the published DNS name of the proxy service of Access Gateway.
If the names match, a certificate name mismatch is not causing your problem.
If the names do not match, create a certificate or import one that matches. For information about creating an Access Gateways certificate, see Configuring Access Gateway for SSL.
To view sample log entries that are logged to the catalina.out file when the certificate has an invalid name, see The Server Certificate Has an Invalid Subject Name.