...
CONNECT uses the Direct JAVA RI for retrieving certs via DNS. The logic used there is that it checks for an individual cert first, in your case it would be admin.mail.testserver.com, and if this CERT record isn’t found then it will look for the organization cert at mail.testserver.com.
The PKIX path errors are because one machine doesn't trust the other
...
?
Make sure the certificates with the machine you are communicating with has its respective certificates imported into the trust store.
Unable to create HOK Assertion: null (failed to create saml)?
This error generally occurs when the saml.properties, signature.properties, and truststore.properties files in the configuration directory are either not found or the values in those files are incorrect/missing.
...