Credential failed name check error upon updating SP certificate

[Cantor, Scott]

It's only going to care about the name if the key isn't in the metadata. Old configurations still fall back into PKIX trust (I don't know if we're still shipping that, I think we changed the default at some point to stop), and that's where the name checking is done. And that usually won't work without other extensions in the metadata so the message is really just "this isn't the same key that's in the metadata" at the end of the day.

-- Scott