TLS mail delivery fails when validating SSL Unified Communications Certificates (UCC) with an invalid or empty Common Name (CN) field
Last Updated July 24, 2014
This article contains supportability information with regards to Secure Sockets Layer (SSL) Unified Communications Certificates (sometimes called multi-domain SSL certificates) and email delivery using Symantec Messaging Gateway 10.5.x
Email delivery may fail to a non-local domain where TLS encryption delivery is required and verification of the certificate is enabled.
The Message Audit Log (MAL) shows the following error: 451 4.7.5 [internal] remote node ssl certificate not signed by a valid ca
Furthermore, a debug-level log of the Mail Transfer Agent (MTA) will show the following additional details:
2014 Jul 7 11:47:02 CEST (info) ecelerity:  Subject Common Name not found
2014 Jul 7 11:47:02 CEST (notice) ecelerity:  ec_ssl_ctx 0xd15e9fc0 tls_verify_validca failed
Symantec Messaging Gateway requires that multi-domain (UCC, SAN) certificates contain a valid CN Subject field.
In order to resolve this behaviour, a new certificate should be generated with the CN field present and with valid data in it.
Below is an example of a (self-signed) multi-domain certificate satisfying all requirements for Messaging Gateway.