...
If the remote system's CA certificate is not installed, then a TLS connection will not be established and calls will be rejected with a failure response indicating the low level problem (e.g. "503 ValidatorException: unable to find valid certification path to requested target" or "SipException: PKIXCertPathBuilderImpl could not build a valid CertPath" (the exact message depends on the JVM being used).
If the remote certificate identity (from the SubjAltName field) does not match the remote system's address, then a TLS connection will not be established and calls will be rejected with reason 5xx "Certificate identity does not match requested domain". In this case, an alarm will be raised stating "The configuration requires the identity '<expected remote identity>', but the remote certificate contains only the following identities: <list of identities in the certificate>". sipXecs requires that remote systems support draft-ietf-sip-domain-certs-04.txt, which recommends that the SIP domain identity be conveyed as a SubjAltName extension of type uniformResourceIdentitier, and that that identity must match the domain to which the request is being sent.