We are having issues with providing proxy services to IIS when IIS is using a SAN certificate. Using Openssl to troubleshoot the issue via "openssl s_client -connect URL:443" we are getting a specific error message of "verify return code: 20 (unable to get local issuer certificate.) We have verified, via multiple ways, that the IIS certificate, intermediate and root certificate are all included in our ca-bundle in the correct format.
As a test, we have setup a SAN certificate on an IHS server and are able to process. What we seem to see in IIS is, it can read the certificate and identify the intermediate and root. But, it is not processing the intermediate and stops at that point.
In your post you listed the port as 433, is this a typo and you meant 443?
Also, are you thinking this is a CA SSO issue? If so would need more information on your current setup as well as the output of openssl x509 -in iiscert.crt -noout -text
to see better how your SAN was created.
You are correct, it's 443. I would not classify this as a SSO issue. It is more of an issue with OpenSSL that is bundled in the CA SiteMinder Secure Proxy Server.
I don't really have an example of the certificate request but, it is a standard SAN certificate with a CN name entry and additional Subject Alternative names. There is a root and intermediate certificate that is issued with the certificate.