For Error 1 above:
Use an SSL Certificate that contains only the key ID of the Issuing Certificate Authority in the Authority Key Identifier field, conforming to IETF RFC 5280, and complying with OpenSSL and Mozilla policy.
Including any other information in that field will result in Join failure.
For Error 2 above:
If SPP's certificate contains SPP's IPv4 address in the Common Name or subjectAltName field, then enter that SPP IP address when linking SPS to SPP.
If SPP's certificate contains only its DNS name in the Common Name or subjectAltName field, then use that SPP hostname when linking SPS to SPP.
Otherwise, set up an SSL server certificate for SPP which matches its IP address in the certificate's Common Name or subjectAltNamefields (see SSL Certificates in the Safeguard Administration Guide) and retry linking. Wait about five minutes to let the timeout of the failed link request expire before starting a new link request after a failed incomplete one. (Alternatively, see Reversing the SPP to SPS join in the Safeguard Administration Guide.)