Carnegie Mellon University School of Computer Science

Troubleshooting Web Server Certificates

These are some of the most common certificate-related web server issues. See the web server certificate documentation for instructions on how to request or install a certificate. If you continue to have issues with getting a certificate or SSL to work on your web server, please submit a ticket.

Also, listed below are some OpenSSL commands that may be useful when debugging certificate and SSL-related issues. 

How to determine the type of a Comodo certificate

Comodo makes several types of certificates.  Some of these types require different intermediate certificates.  When you get your certificate, it should come with information about the type.  The Subject of a Comodo certificate will contain an OU (Organizational Unit) field that contains the certificate type (e.g. "Comodo Unified Communications" or "PlatinumSSL" or "Comodo Multi-Domain SSL").  You can use one of the OpenSSL commands listed below to view the Subject of a certificate file.

Problems verifying the web server's certificate chain

Make sure you have the correct Comodo intermediate certificates installed.  If you're using a non-Facilitized Apache server, the SSLCertificateChainFile directive in your Apache configuration file should point to the file containing those certificates.

The directory, /afs/cs/help/downloads/web_publishing/, contains intermediate certificate files for all Comodo certificates that have been issued by SCS Facilities.  Almost all recently-issued Comodo certificates use the intermediate certs in the file, incommon-with-root-chain.crt.

Some of the OpenSSL commands below can help you verify your certificate chain.

Problems using a Comodo certificate to secure a Windows Remote Desktop connection

There are known issues with using some types of Comodo certificates issued by SCS Facilities or CMU Computing Services to secure a Remote Desktop connection.  If you are running into this problem, send mail to: certificate-authority@andrew.cmu.edu and we can provide a re-issued certificate that should work with Remote Desktop.

Some useful openssl commands for troubleshooting certificate problems

The openssl program is available on all Dragonized Linux hosts and may be installed on many non-Facilitized hosts as well.  Openssl provides several commands that are extremely useful when debugging certificate problems.

To view the contents of a CSR:

openssl req -noout -text -in FileName

To view the contents of a certificate file:

openssl x509 -noout -text -in FileName

To view the Subject of certificate file: (If you wish to view just the Subject of a certificate file and not the rest of the contents)

openssl x509 -noout -subject -in FileName

To calculate the md5 checksum of a file:

openssl md5 FileName

To verify that the server's private key, CSR, and certificate match.  Run openssl to find the modulus (which is a very long number) and compare to see if the values are equal.  Using the md5 checksums instead of the modulus itself makes comparing the numbers much easier:

openssl rsa -noout -modulus -in PrivateKeyFile | openssl md5

openssl req -noout -modulus -in CSRFile | openssl md5

openssl x509 -noout -modulus -in CertificateFile | openssl md5

To see the server certificate a web server is presenting to clients:

openssl s_client -connect ServerName:Port | openssl x509 -text

The usual web server SSL port is 443, though other ports may be used (e.g.  Java usually uses port 8443).

To verify a certificate against a certificate chain

openssl verify -CAfile ChainFile CertificateFile

Where "ChainFile" is the path to your certificate chain file and "CertificateFile" is the path to the file containing the certificate you wish to verify.