MaxCDN Help Center

  1. MaxCDN
  2. SSL
  3. Troubleshooting

SSL Debugging

Avatar
Russell Ransom
Updated:

This article contains some common methods used to debug and check SSL properties.

Matching Private Key

The inability to verify a certificate is usually caused by using the incorrect private key (or CSR). The following method will tell you if the certificate and private key are a match:

~# openssl x509 -noout -modulus -in mycertificate.crt | md5sum
fab53123e5748a20d03739dc668c081b  -

~# openssl rsa -noout -modulus -in myprivatekey.key | md5sum
fab53123e5748a20d03739dc668c081b  -

Check SSL Connection

Use a standard openssl command to check if the SSL handshake will pass correctly and initiate a secured  HTTP connection:

~# openssl s_client -connect www.domain.com:443

CONNECTED(00000003)
depth=3 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/OU=Domain Control Validated/CN=*.domain.com
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
 2 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
   i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
 3 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
   i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/CN=*.domain.com
issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
---
No client certificate CA names sent
---
SSL handshake has read 5429 bytes and written 443 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: ********************************************
    Session-ID-ctx:
    Master-Key: ********************************************
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - **************************************************
    0010 - **************************************************
    0020 - **************************************************
    0030 - **************************************************
    0040 - **************************************************
    0050 - **************************************************
    0060 - **************************************************
    0070 - **************************************************
    0080 - **************************************************
    0090 - **************************************************
    00a0 - **************************************************

    Start Time: 1416522873
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---

Check TLS Version

Terminated SSL connection attempts can be caused by unsupported TLS versions used between a server and a client. To rule out this issue, use the following method and find out if the TLS your client is forcing is supported on the server side: TLS1.2

~# openssl s_client -tls1_2 -connect www.domain.com:443

Check Certificate Details

Under X509v3 Subject Alternative Name you can see what domain (or domains) your certificate is valid for.

~# openssl x509 -noout -text -in cert.crt  
     
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            09: … :34
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance CA-3
        Validity
            Not Before: Sep  9 00:00:00 2014 GMT
            Not After : Jan  8 12:00:00 2016 GMT
        Subject: C=JP, ST=Tokyo, L=Minato-ku, O=MyCompany Inc., CN=domain.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00: … :49
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier:
                keyid:50: … :F7

            X509v3 Subject Key Identifier:
                BD: … :C1
            X509v3 Subject Alternative Name:
                DNS:domain.com, DNS:cdn.domain.com, DNS:cdn1.domain.com, DNS:cdn2.domain.com, DNS:cdn3.domain.com
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://crl3.digicert.com/ca3-g28.crl

                Full Name:
                  URI:http://crl4.digicert.com/ca3-g28.crl

            X509v3 Certificate Policies:
                Policy: 2.16.840.1.114412.1.1
                  CPS: https://www.digicert.com/CPS

            Authority Information Access:
                OCSP - URI:http://ocsp.digicert.com
                CA Issuers - URI:http://cacerts.digicert.com/DigiCertHighAssuranceCA-3.crt

            X509v3 Basic Constraints: critical
                CA:FALSE
    Signature Algorithm: sha1WithRSAEncryption
         30: … :f6

Obtaining Specific Details

Get Common Names covered by SSL Certificate

~# openssl x509 -modulus -text -in cert.crt | grep 'DNS'
                DNS:domain.com, DNS:cdn.domain.com, DNS:cdn1.domain.com, DNS:cdn2.domain.com, DNS:cdn3.domain.com

Get Certificate Issuer

~# openssl x509 -modulus -text -in cert.crt | grep 'Issuer:'
        Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance CA-3

Get CA Issuer Authority Information

~# openssl x509 -modulus -text -in cert.crt | grep 'CA Issuer'
                CA Issuers - URI:http://cacerts.digicert.com/DigiCertHighAssuranceCA-3.crt

Get Signature Algorithm

~# openssl x509 -modulus -text -in cert.crt | grep 'Signature Algorithm'
    Signature Algorithm: sha1WithRSAEncryption

Get Certificate Dates

~$ openssl x509 -modulus -text -in cert.crt | openssl x509 -noout -dates
notBefore=Apr 11 01:43:02 2015 GMT
notAfter=Nov  1 18:05:38 2016 GMT

If you have any questions about the content of this article, please feel free to reach out to the Support Team for assistance, we're available 24/7 for your convenience.

Was this article helpful?

Related articles

Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Contact Us