Certificate Name Mismatch Findings Marta Castro When Certificate Name Mismatch findings for TLS/SSL Configurations are assessed, the Bitsight platform checks all publicly queried hostnames. To reassess the findings, we need to confirm the DNS pair that shows the asset is targeted by the canonical name (CNAME) since there’s no way to tell if a scan is done on a CNAME. We can’t act on assets used as a "front door" because it could lead to security risks and set a bad precedent. When a CNAME is scanned, a rule to skip checks on the Common Name and Subject Alternative Name fields for the relevant domains can be implemented. Reach out to Bitsight Support to set this up. As a result, findings related to Certificate Name Mismatch are cleared and the overall rating can be recalculated. This ensures the scan results accurately reflect the CNAME configuration without unnecessary warnings. While these findings are removed, all other TLS/SSL Configuration findings continue to be flagged as usual. July 15, 2025: Referenced the finding for more information. January 28, 2025: Published. Related articles TLS/SSL Finding Remediation & Remediation Verification TLS/SSL Configurations Risk Vector Certificate Authorities Verifying That a Finding Is Remediated Adding an AWS Cloud Infrastructure Connection Feedback 1 comment Sort by Date Votes Alan [CORP] October 17, 2025 17:29 Edited TL;DR: In my opinion, Bitsight has created a problem that does not exist.Despite this article, Bitsight support states that you must install a SAN that covers all possible FQDNs, or they will not remove the penality.Consider these example services. In real-world practice, the user/browser/application will only connect and perform SSL cert checks for the bolded CNAME FQDNs. The IP addresses that are eventually resolved by a chain of DNS records is returned to the OS. The FQDNs in the chain are not evaluated for certificate validity because the browser/app is using the original FQDN and the final IP address.ServiceA is manually switched between a primary and backup circuit. It's not as fancy as load balancing. But it's a quick (and free) DNS fix to route around outages. The FQDNs of the (A) records are never presented to a browser.ServiceB is running at a site with non-static IP address. Dynamic DNS service will continually update so that you can use a friendly FQDN. It's not possible to make a SAN cert that includes a domain outside of your control.ServiceC is hosted on and external platform. It's not possible to make a SAN cert that includes a domain outside of your control.ServiceD points to a friendly CNAME of a provider, which then resolves to another CNAME or A record. Now we have multiple FQDNs, none of which are in domains under our control.Where is the risk of _not_ publishing certs for every FQDN along the way? The browser or application will never be presented with the string of FQDNs during DNS resolution. Thus, there will be no certificate mis-match in the real world.;;example A Recordsserver1.domain.tld. 1 IN A 203.0.113.1; primary ckt handling serviceAserver2.domain.tld. 1 IN A 198.51.100.2; backup ckt handling serviceA;; example CNAME RecordsserviceA.domain.tld. 1 IN CNAME server2.domain.tld.; manually set to active serverserviceB.domain.tld. 1 IN CNAME dyn-serviceB.some-dynamic-dns-provider.tld.serviceC.domain.tld. 1 IN CNAME random-host123.some-hosting-provider.tld.serviceD.domain.tld. 1 IN CNAME domain-tld.other.tld.; this points to a customer-tagged CNAMEdomain-tld.other.tld. 1 IN CNAME load-balancer.us-other.tld.; this points to an A record in a different domain 0 Please sign in to leave a comment.