This article contains some common methods used to debug and check SSL properties.
Matching Private Key
The inability to verify a certificate is usually caused by using the incorrect private key (or CSR). The following method will tell you if the certificate and private key are a match:
~# openssl x509 -noout -modulus -in mycertificate.crt | md5sum
fab53123e5748a20d03739dc668c081b -
~# openssl rsa -noout -modulus -in myprivatekey.key | md5sum
fab53123e5748a20d03739dc668c081b -
Check SSL Connection
Use a standard openssl command to check if the SSL handshake will pass correctly and initiate a secured HTTP connection:
~# openssl s_client -connect www.domain.com:443
CONNECTED(00000003)
depth=3 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/OU=Domain Control Validated/CN=*.domain.com
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
2 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
3 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/CN=*.domain.com
issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
---
No client certificate CA names sent
---
SSL handshake has read 5429 bytes and written 443 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: ********************************************
Session-ID-ctx:
Master-Key: ********************************************
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - **************************************************
0010 - **************************************************
0020 - **************************************************
0030 - **************************************************
0040 - **************************************************
0050 - **************************************************
0060 - **************************************************
0070 - **************************************************
0080 - **************************************************
0090 - **************************************************
00a0 - **************************************************
Start Time: 1416522873
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
Check TLS Version
Terminated SSL connection attempts can be caused by unsupported TLS versions used between a server and a client. To rule out this issue, use the following method and find out if the TLS your client is forcing is supported on the server side: TLS1.2
~# openssl s_client -tls1_2 -connect www.domain.com:443
Check Certificate Details
Under X509v3 Subject Alternative Name you can see what domain (or domains) your certificate is valid for.
~# openssl x509 -noout -text -in cert.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
09: … :34
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance CA-3
Validity
Not Before: Sep 9 00:00:00 2014 GMT
Not After : Jan 8 12:00:00 2016 GMT
Subject: C=JP, ST=Tokyo, L=Minato-ku, O=MyCompany Inc., CN=domain.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00: … :49
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:50: … :F7
X509v3 Subject Key Identifier:
BD: … :C1
X509v3 Subject Alternative Name:
DNS:domain.com, DNS:cdn.domain.com, DNS:cdn1.domain.com, DNS:cdn2.domain.com, DNS:cdn3.domain.com
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl3.digicert.com/ca3-g28.crl
Full Name:
URI:http://crl4.digicert.com/ca3-g28.crl
X509v3 Certificate Policies:
Policy: 2.16.840.1.114412.1.1
CPS: https://www.digicert.com/CPS
Authority Information Access:
OCSP - URI:http://ocsp.digicert.com
CA Issuers - URI:http://cacerts.digicert.com/DigiCertHighAssuranceCA-3.crt
X509v3 Basic Constraints: critical
CA:FALSE
Signature Algorithm: sha1WithRSAEncryption
30: … :f6
Obtaining Specific Details
Get Common Names covered by SSL Certificate
~# openssl x509 -modulus -text -in cert.crt | grep 'DNS'
DNS:domain.com, DNS:cdn.domain.com, DNS:cdn1.domain.com, DNS:cdn2.domain.com, DNS:cdn3.domain.com
Get Certificate Issuer
~# openssl x509 -modulus -text -in cert.crt | grep 'Issuer:'
Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance CA-3
Get CA Issuer Authority Information
~# openssl x509 -modulus -text -in cert.crt | grep 'CA Issuer'
CA Issuers - URI:http://cacerts.digicert.com/DigiCertHighAssuranceCA-3.crt
Get Signature Algorithm
~# openssl x509 -modulus -text -in cert.crt | grep 'Signature Algorithm'
Signature Algorithm: sha1WithRSAEncryption
Get Certificate Dates
~$ openssl x509 -modulus -text -in cert.crt | openssl x509 -noout -dates
notBefore=Apr 11 01:43:02 2015 GMT
notAfter=Nov 1 18:05:38 2016 GMT
If you have any questions about the content of this article, please feel free to reach out to the Support Team for assistance, we're available 24/7 for your convenience.