Alton Alexander
By Alton AlexanderUpdated on June 4th, 2022

The dlg_flags_sec_cert_cn_invalid error code indicates that the common name (CN) in the security certificate is invalid. This can happen for a number of reasons, including if the website's domain name has changed, or if the certificate was issued to a different domain name altogether. In either case, it means that the certificate is no longer valid for the domain it was originally issued for, and thus the browser cannot trust the site.

Users typically search for a solution by asking about:

  • error code: dlg_flags_sec_cert_cn_invalid
  • dlg_flags_sec_cert_cn_invalid

1. Use a different certificate

To use a different certificate to fix dlg_flags_sec_cert_cn_invalid:

  1. Export the certificate to a .PEM file.
  2. Change the file name of the certificate to dlg_flags_sec_cert.PEM.
  3. Import the certificate into the Windows Certificate Services console.
  4. Change the certificate's validity period to the desired value.
  5. Click OK to save the changes.

2. Set the security.use_mozillapkix_verification preference to false

To disable the use of Mozilla's PKIX verification, open the preferences dialog and set the security.use_mozillapkix_verification preference to false.

3. Set the security.pki.name_matching_mode preference to 5

The steps to set the security.pki.name_matching_mode preference to 5 in order to fix the dlg_flags_sec_cert_cn_invalid error are as follows:

  1. From the administrative console, open the PKI Management window.
  2. In the left pane, under the PKI tree, select the PKI object that you want to configure.
  3. On the right pane, under the Name Matching Settings category, select the Security Profile Settings check box, and then select the Security Profile name.
  4. In the Name Matching Mode list, select the desired mode.
  5. In the Validation Mode list, select the desired mode.
  6. In the Extended Validation Mode list, select the desired mode.
  7. To apply the changes, click the Apply button.

If the answers above didn't work then you should also try:

  1. Set the security.ssl.enable_false_start preference to true.
  2. Set the network.tls.version.min and network.tls.version.max preferences to 3.
  3. Set the network.ssl.version.min and network.ssl.version.max preferences to 3.
  4. Set the security.ssl3.dhe_rsa_aes_128_sha and security.ssl3.dhe_rsa_aes_256_sha preferences to false.
  5. Set the security.ssl3.ecdhe_ecdsa_aes_128_sha and security.ssl3.ecdhe_ecdsa_aes_256_sha preferences to false.
  6. Set the security.ssl3.ecdh_ecdsa_aes_128_sha and security.ssl3.ecdh_ecdsa_aes_256_sha preferences to false.
  7. Set the