I'm reasonably particular that the confirm command is Doing the job as it's supposed to, and openssl is effectively asserting that the certs Do not match up in a way. But I haven't got enough facts to state why the final website link is problematic., as spelled out in RFC 2469. Canonical variety is generally most well-liked, and employed by all mod