Troubleshooting Certificate Problems

If your application refuses to trust a certificate from a specific location, it might be because the one of the signers in the chain of CAs, or even the originating CA root, is not trusted. To locate the problem, you need to get the server's certificate chain, from its own identity certificate right through to the originating CA root in the server's chain of trust.

To get the chain of certificates for a specific server, you use the s_client function of OpenSSL. This function implements a generic SSL/TLS client that can establish a transparent connection to a remote server speaking SSL/TLS. It's intended for testing purposes only and provides only rudimentary interface functionality but internally uses mostly all functionality of the OpenSSL ssl library.

You connect to a SSL service on the server, as follows:

openssl s_client -showcerts -connect <myserver>:<ssl_port> 

This returns all the certificates in the chain, starting with the server certificate and ending with the root CA certificate. They are all in PEM format. This command opens a session with the server. After responding to your request for the certificates, the session sits waiting for you to send further requests. You can send Ctrl+Z to exit the session or wait for the server to time out the connection.

For example:

openssl s_client -showcerts -connect ibank.myBank.co.uk:443

The above command returns:

Loading 'screen' into random state - done
CONNECTED(00000790)
depth=2 /C=US
        /O=VeriSign, Inc.
        /OU=Class 3 Public Primary Certification Authority

verify error:num=19:self signed certificate in certificate chain
verify return:0

Error 19 status is expected, because the CA root certificate in all certificate chains is self-signed. See Error 19 Details later for more details.

---
Certificate chain
 0 s:/C=GB/ST=Bucks/L=Chesham/O=myBank PLC
     /OU=Enable
     /OU=Terms of use at www.verisign.co.uk/rpa (c) 03
     /OU=Authenticated by VeriSign
     /OU=Member, VeriSign Trust Network
     /CN=ibank.myBank.co.uk
   i:/O=VeriSign Trust Network
     /OU=VeriSign, Inc.
     /OU=VeriSign International Server CA - Class 3
     /OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
-----BEGIN CERTIFICATE-----
MIIE3TCCBEagAwIBAgIQXM1dOQs/cV03UDAru58mEjANBgkqhkiG9w0BAQQFADCB
ujEfMB0GA1QBChMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazDJEEUGA1UECxMOVmVy
ONfYgdrkI7Bwhc58KJR4zqwppdl0QgsspXgmz7gJFgsgfZdptm/QvXfs+N4mxDm8
b0I6p9RtmLq82Itr6q1wUWssjHm5PlZRoQ8YaYJkaUN2rLsRT1SyQxygRo9xu81d
0Q==
-----END CERTIFICATE-----

This marks the end of certificate “0”, which identifies the server system. The next section labeled "s:" refers to the certificate owner ("subject") and the following section "i:" refers to the issuer.

 1 s:/O=VeriSign Trust Network
     /OU=VeriSign, Inc.
     /OU=VeriSign International Server CA - Class 3
     /OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
   i:/C=US
     /O=VeriSign, Inc.
     /OU=Class 3 Public Primary Certification Authority
-----BEGIN CERTIFICATE-----
MIIDgzCCAuygAwIBAgIQJUuKhThCzONY+MXdriJupDANBgkqhkiG9w0BAQUFADBf
MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT
1RPuKSvD5HKNRO3RrCAJLeH24RkFOLA9D59/+D3R3IYChmFOJl9en5IeDCSk9dBw
E88mw0M9SR2egi5SX7w+xmYpAY5Okiy8RnUDgqxz6dl+C2fvVFIa
-----END CERTIFICATE-----

We have reached the end of certificate “1” which identifies the signer of the server system’s certificate. Looking at the “s” section we can see that there is less detail in this certificate than in certificate “0”, but still enough to give a legal identity to the signer. This is important to understand. When creating certificate to use in real world situations, the creator must provide enough information within the certificate content to legally identify the item or entity being represented by the certificate.

 2 s:/C=US
     /O=VeriSign, Inc.
     /OU=Class 3 Public Primary Certification Authority
   i:/C=US
     /O=VeriSign, Inc.
     /OU=Class 3 Public Primary Certification Authority
-----BEGIN CERTIFICATE-----
MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG
A1USXhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzlbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59AhWM1pF+NEHJwZRDmJXNyc
AA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1k
-----END CERTIFICATE-----
---
Server certificate
subject=/C=GB/ST=Bucks/L=Chesham/O=myBank PLC
        /OU=Enable
        /OU=Terms of use at www.verisign.co.uk/rpa (c) 03
        /OU=Authenticated by VeriSign/OU=Member, VeriSign Trust Network
        /CN=ibank.myBank.co.uk
issuer=/O=VeriSign Trust Network
       /OU=VeriSign, Inc.
       /OU=VeriSign International Server CA - Class 3
       /OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
---
No client certificate CA names sent
---
SSL handshake has read 2894 bytes and written 352 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
SSL-Session:
    Protocol  : SSLv3
    Cipher    : RC4-MD5
    Session-ID: 56931DEEE4EDB5808FAC374D3AD7EC1C90A4FB4E2FF6DA16749203A87C7FA169

    Session-ID-ctx:
    Master-Key: C87463A6C17BFC2A8817F9B6B302C8EAE53B2BC25AB63A3DEA461EA495B20C78
B4AAF17DEED14661D8A09488215DCA7B
    Key-Arg   : None
    Start Time: 1112711406
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---
closed

You can close the session using Ctrl+Z and then Enter, to which the server should respond:

DONE

Error 19 Details

In the above example, you can see that the ultimate CA root certificate is self-signed. The ultimate CA root certificate in all certificate chains is self-signed.

The error 19 occurs because the s_client function doesn't check the default OpenSSL CA certificate store against the CA root certificates being passed in the replies by the server. So, even if this certificate is already present in the CARootCerts file, and this file is correctly configured in the openssl.cnf file, this function still fails to trust the self-signed certificate.

You can avoid this error by setting up a collection of trusted CA root certificates to be used in this s_client function call. This makes the s_client function check the default OpenSSL CA certificate store against the CA root certificates being passed in the replies by the server.

To avoid generating the error 19 from s_client, the caller must pass one of the following arguments: