WINHTTP_CALLBACK_STATUS_FLAG_CERT_CN_INVALID when using a CMG as a cloud DP with third-party certificate

Applies to: System Center Configuration Manager (current branch - version 1810)System Center Configuration Manager (current branch - version 1806)


You create a Cloud Management Gateway (CMG), and you enable the following setting:

Allow CMG to function as a cloud distribution point and serve content from Azure storage

You use a CMG server authentication certificate from a third-party provider. The CMG service FQDN is configured as <CMGname>.<your domain>.

In this scenario, you experience the following issues:

  • Existing clients can't download content from the CMG. Errors entries that resemble the following are logged in DataTransferservice.log:
  • Client files can’t be downloaded from CMG to set up new clients. Errors entries that resemble the following are logged in Ccmsetup.log:

Note WINHTTP_CALLBACK_STATUS_FLAG_CERT_CN_INVALID means that the host name in the certificate common name is incorrect.


This issue occurs because the clients try to access the CMG cloud service by looking for the default FQDN of <CMGname>, and this name doesn’t match the actual FQDN of <CMGname>.<your domain>. Therefore, the WINHTTP_CALLBACK_STATUS_FLAG_CERT_CN_INVALID error is reported.

Note When you enable CMG as a Cloud Distribution Point, the globally unique CMG service name that you choose must also be a globally unique Azure storage account name. An Azure storage account name is always created under the subdomain. Because the domain is owned by Microsoft, a third-party certificate provider can't create a certificate for


To fix this issue, update to Microsoft System Center Configuration Manager, version 1902.