When using Epygi's CA Root Certificate for SIP TLS connections, it validates only when connecting locally, but when using remote extension (through Internet), it doesn't validates with error logs saying...

Certificate: Names mismatch
Certificate expected name: (My public IP or Domain if used)
Certificate actual name list: (QX-WAN IP).

I'm using WAN port for IP-Phones, (NOT LAN) and 5061 TCP port forwarding. Softclient used for testing: Zoiper

The thing is that no matter what is used at the CN= field to generate the certificate within the QX, it always applies only the current Epygi's IP as the Certificate Subject CN. The .crt certificate generated doesn't add the others SIP domain aliases configured to the certificate, like SAN (Subject Alternative Names). Because of this if I'm using any domain or ddns to connect to my public IP to established the SIP connection from the Internet, can't make it work, because will never match the Subject CN applied at the certificate. That's why somehow it makes sense that TLS works when connecting locally because Epygi's IP is used to establish the connection and that's what is applied always to the Subject CN in the certificate.

Maybe it could work if I used the WAN interface exclusively for remote connections and assign to it my public IP. Still, that limits the possibilities of connections to any desired domain or DDNS. Also is common that environments already had a firewall using the only available public IP.

I could be doing something wrong, and I'm no expert in OpenSSL, nor Certificates, but will appreciate to know if there's a simple way to make it work and have a secure TLS way to connect devices from the Internet using any desired Domain or at least the public IP that is not assigned to the QX.