Yeah, something a bit interesting is going on there actually.
$query_cert dia.govt.nz
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
01:8c:16:5b:d2:e4:30:88:bf:65:9c:89:02:1a:98:e8
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = BE, O = GlobalSign nv-sa, CN = GlobalSign Atlas R3 DV TLS CA H2 2021
Validity
Not Before: Sep 27 12:44:52 2021 GMT
Not After : Mar 29 03:39:28 2022 GMT
Subject: CN = imperva.com
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:andershansen.com, DNS:anthonysastrology.com, DNS:provident.com, DNS:kiger.consulting, DNS:*.haltonpolice.ca, DNS:*.pfnet.provident.com, DNS:thepointeacademy.com, DNS:www.andershansen.com, DNS:www.kiger.consulting, DNS:*.menard-inc.com, DNS:*.leadsmarket.com, DNS:www.thepointeacademy.com, DNS:myplatemaker.myplates.com.au, DNS:cookinletlending.com, DNS:*.nationalexpress.com, DNS:*.dia.govt.nz, DNS:www.anthonypierpont.com, DNS:*.bluefin.com, DNS:www.eftnola.com, DNS:imperva.com, DNS:*.provident.com, DNS:www.kimhessyoga.com, DNS:anthonypierpont.com, DNS:kimhessyoga.com, DNS:wellingtonfl.gov, DNS:*.wellingtonfl.gov, DNS:eftnola.com, DNS:bluefin.com, DNS:www.cookinletlending.com, DNS:leadsmarket.com, DNS:www.anthonysastrology.com, DNS:dia.govt.nz, DNS:*.jadeworld.com
Observe the CN (common name). I assume imperva.com is their WAF or something, but still seems weird to me to have that as the CN. Dig gives the IPs 185.11.124.136 and 192.230.64.136, which are registered to Incapsula, which appears to be the company that provides the Imperva service. It looks like they're reusing the certificate across a dozen or so clients for some reason? Based on ping times to those IPs I'd guess their node is in Christchurch, which is probably why DIA used them over a larger company.
Seems to be CloudFlare / Akamai competitor. A lot of local institutions "hardened" after the cyberattacks last December.
*.dia.govt.nz is among the alternate names though anyway so modern browsers probably should accept it. Are you using an oldish version of your browser?