Certificate Troubleshooting

openssl tls certificates troubleshooting


Quick Diagnosis Commands

View Certificate Details

# From file
openssl x509 -in cert.pem -text -noout
 
# From remote server
openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -text -noout
 
# Just the dates
openssl x509 -in cert.pem -noout -dates
 
# Just the subject/issuer
openssl x509 -in cert.pem -noout -subject -issuer

Check Certificate Chain

# Show full chain from server
openssl s_client -connect example.com:443 -servername example.com -showcerts
 
# Verify chain against CA bundle
openssl verify -CAfile ca-bundle.crt cert.pem
 
# Verify with intermediate
openssl verify -CAfile root.pem -untrusted intermediate.pem cert.pem

Check Key/Cert Match

# These should output the same modulus hash
openssl x509 -in cert.pem -noout -modulus | openssl md5
openssl rsa -in key.pem -noout -modulus | openssl md5
 
# Or for EC keys
openssl x509 -in cert.pem -noout -pubkey | openssl md5
openssl ec -in key.pem -pubout 2>/dev/null | openssl md5

Common Errors and Fixes

Certificate Expired

error 10 at 0 depth lookup: certificate has expired

Diagnosis:

openssl x509 -in cert.pem -noout -dates
# Look for notAfter date

Fix: Renew the certificate


Hostname Mismatch

SSL: certificate subject name 'www.example.com' does not match target host name 'example.com'

Diagnosis:

# Check Subject and SANs
openssl x509 -in cert.pem -noout -text | grep -A1 "Subject:"
openssl x509 -in cert.pem -noout -text | grep -A1 "Subject Alternative Name"

Fix:

  • Request certificate with correct SANs
  • Include both example.com and www.example.com

Untrusted/Self-Signed Certificate

error 18 at 0 depth lookup: self-signed certificate
error 19 at 1 depth lookup: self-signed certificate in certificate chain
error 20 at 0 depth lookup: unable to get local issuer certificate

Diagnosis:

# Check issuer
openssl x509 -in cert.pem -noout -issuer
 
# Check if root CA is in trust store
openssl verify -CApath /etc/ssl/certs cert.pem

Fix:

  • Add CA to system trust store
  • Provide correct CA bundle with -CAfile
  • For internal CAs: distribute root CA to clients

Certificate Chain Incomplete

error 21 at 1 depth lookup: unable to verify the first certificate

Diagnosis:

# Check what chain server sends
openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | grep -E "^ [0-9]+ s:|^ +i:"

Fix:

  • Concatenate intermediate certs into chain file
  • Order: leaf cert → intermediate(s) → (optionally) root
cat server.crt intermediate.crt > fullchain.pem

Key Mismatch

error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

Diagnosis:

# Compare modulus hashes
openssl x509 -in cert.pem -noout -modulus | openssl md5
openssl rsa -in key.pem -noout -modulus | openssl md5

Fix: Use the correct private key that matches the certificate


Wrong Key Type

unable to load Private Key

Diagnosis:

# Check key format
head -1 key.pem
# Should show -----BEGIN RSA PRIVATE KEY----- or -----BEGIN PRIVATE KEY-----
 
# Check if encrypted
grep ENCRYPTED key.pem

Fix:

# Convert PKCS#8 to traditional RSA
openssl rsa -in pkcs8.key -out traditional.key
 
# Decrypt encrypted key
openssl rsa -in encrypted.key -out decrypted.key

Certificate Chain Order

Correct order for fullchain/bundle files:

┌─────────────────────┐
│   Leaf/Server Cert  │  ← Your certificate (CN=example.com)
├─────────────────────┤
│  Intermediate CA 1  │  ← Signs the leaf cert
├─────────────────────┤
│  Intermediate CA 2  │  ← Signs Intermediate CA 1 (if exists)
├─────────────────────┤
│      Root CA        │  ← Usually NOT included (clients have it)
└─────────────────────┘

Build a chain:

cat server.crt intermediate.crt > fullchain.pem
 
# Verify the chain
openssl verify -CAfile root.pem fullchain.pem

Format Conversions

FromToCommand
PEMDERopenssl x509 -in cert.pem -outform DER -out cert.der
DERPEMopenssl x509 -in cert.der -inform DER -out cert.pem
PEMPKCS#12openssl pkcs12 -export -out cert.pfx -inkey key.pem -in cert.pem -certfile chain.pem
PKCS#12PEMopenssl pkcs12 -in cert.pfx -out all.pem -nodes
PKCS#7PEMopenssl pkcs7 -in cert.p7b -print_certs -out cert.pem

Testing TLS Connection

Basic Connection Test

# Test connection and show cert
openssl s_client -connect example.com:443 -servername example.com
 
# Test specific TLS version
openssl s_client -connect example.com:443 -tls1_2
openssl s_client -connect example.com:443 -tls1_3
 
# Test with client cert
openssl s_client -connect example.com:443 -cert client.pem -key client.key

Check Supported Ciphers

# List server's preferred cipher
openssl s_client -connect example.com:443 2>/dev/null | grep "Cipher is"
 
# Test specific cipher
openssl s_client -connect example.com:443 -cipher 'ECDHE-RSA-AES256-GCM-SHA384'

Quick Reference: Error Codes

ErrorMeaning
error 10Certificate expired
error 18Self-signed certificate
error 19Self-signed cert in chain
error 20Unable to get local issuer
error 21Unable to verify first cert
error 27Certificate not yet valid
error 62Hostname mismatch