Following are some of common methods to debug and check SSL properties in order to grasp the best way of debugging ongoing SSL issues.

Match Certificate with Private Key

Inability to verify certificate is usually caused by wrong private key usage (or CSR instead of private key) so, following method will tell you if certificate and private key are a match:

~# openssl x509 -noout -modulus -in mycertificate.crt | md5sum
fab53123e5748a20d03739dc668c081b  -

~# openssl rsa -noout -modulus -in myprivatekey.key | md5sum
fab53123e5748a20d03739dc668c081b  -

Check SSL Connection

Standard openssl command to check if SSL handshake will pass correctly and initiate secured http connection:

~# openssl s_client -connect

depth=3 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
Certificate chain
 0 s:/OU=Domain Control Validated/CN=*
   i:/C=US/ST=Arizona/L=Scottsdale/, Inc./OU= Daddy Secure Certificate Authority - G2
 1 s:/C=US/ST=Arizona/L=Scottsdale/, Inc./OU= Daddy Secure Certificate Authority - G2
   i:/C=US/ST=Arizona/L=Scottsdale/, Inc./CN=Go Daddy Root Certificate Authority - G2
 2 s:/C=US/ST=Arizona/L=Scottsdale/, Inc./CN=Go Daddy Root Certificate Authority - G2
   i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
 3 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
   i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
Server certificate
subject=/OU=Domain Control Validated/CN=*
issuer=/C=US/ST=Arizona/L=Scottsdale/, Inc./OU= Daddy Secure Certificate Authority - G2
No client certificate CA names sent
SSL handshake has read 5429 bytes and written 443 bytes
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: ********************************************
    Master-Key: ********************************************
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - **************************************************
    0010 - **************************************************
    0020 - **************************************************
    0030 - **************************************************
    0040 - **************************************************
    0050 - **************************************************
    0060 - **************************************************
    0070 - **************************************************
    0080 - **************************************************
    0090 - **************************************************
    00a0 - **************************************************

    Start Time: 1416522873
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)

Check if SSL supports particular TLS version

Terminated SSL connection attempt can be caused by unsupported TLS version used between Server and Client. To rule out this issue use following method and find whether TLS your client is forcing is supported on server side:

~# openssl s_client -tls1_2 -connect

Check Certificate Details

~# openssl x509 -noout -text -in cert.crt  
        Version: 3 (0x2)
        Serial Number:
            09: … :34
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=DigiCert Inc,, CN=DigiCert High Assurance CA-3
            Not Before: Sep  9 00:00:00 2014 GMT
            Not After : Jan  8 12:00:00 2016 GMT
        Subject: C=JP, ST=Tokyo, L=Minato-ku, O=MyCompany Inc.,
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                    00: … :49
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier:
                keyid:50: … :F7

            X509v3 Subject Key Identifier:
                BD: … :C1
            X509v3 Subject Alternative Name:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 CRL Distribution Points:

                Full Name:

                Full Name:

            X509v3 Certificate Policies:
                Policy: 2.16.840.1.114412.1.1

            Authority Information Access:
                OCSP - URI:
                CA Issuers - URI:

            X509v3 Basic Constraints: critical
    Signature Algorithm: sha1WithRSAEncryption
         30: … :f6

Under X509v3 Subject Alternative Name you can see what is the domain (or domains) your certificate is valid for.

Pull out only certain details from Certificate details

Get Common Names covered by SSL Certificate

~# openssl x509 -modulus -text -in cert.crt | grep 'DNS'

Get Certificate Issuer

~# openssl x509 -modulus -text -in cert.crt | grep 'Issuer:'
        Issuer: C=US, O=DigiCert Inc,, CN=DigiCert High Assurance CA-3

Get CA Issuer Authority Information

~# openssl x509 -modulus -text -in cert.crt | grep 'CA Issuer'
                CA Issuers - URI:

Get Signature Algorithm

~# openssl x509 -modulus -text -in cert.crt | grep 'Signature Algorithm'
    Signature Algorithm: sha1WithRSAEncryption

Get Certificate Dates

~$ openssl x509 -modulus -text -in cert.crt | openssl x509 -noout -dates
notBefore=Apr 11 01:43:02 2015 GMT
notAfter=Nov  1 18:05:38 2016 GMT