When an SSL certificate loses its aura of trust, browsers and users recoil—but savvy sleuths can diagnose the rot. Here’s how to dissect a certificate’s credibility, layer by layer.
I. Browser Autopsy: Decoding Warning Glyphs
Your browser is the first cryptographer. Watch for these omens:
| Browser Signal | Likely Culprit |
|---|---|
| Red Padlock | Expired Cert / Domain Mismatch |
| “Not Secure” Label | Missing HTTPS / Mixed Content |
| NET::ERR_CERT_DATE_INVALID | Expired or Not Yet Valid |
| NET::ERR_CERT_AUTHORITY_INVALID | Unrooted CA / Self-Signed Cert |
| NET::ERR_CERT_REVOKED | Certificate Blacklisted |
Example: A site for www.example.com uses a certificate issued to example.net → Common Name Mismatch → Red flag.
II. Certificate Forensics: The Cryptographic Microscope
Step 1: Inspect Certificate Metadata
- In Chrome/Edge: Click padlock → Connection is secure → Certificate is valid → View full details.
- Firefox: Padlock → Connection Secure → More Information → View Certificate.
Key fields to audit:
| Field | Value to Verify |
|---|---|
| Issuer | Trusted CA (e.g., DigiCert, Sectigo) |
| Valid From/To | Dates within current timeframe |
| Subject Alternative Names (SANs) | Domains covered by certificate |
Pro Tip: An EV certificate should list legal entity details (e.g., O=Stark Industries, L=New York).
Step 2: Check the Trust Chain
Certificates chain to root CAs. Broken links = distrust.
- Open certificate details.
- Trace from leaf certificate → intermediate CA(s) → root CA.
- Verify root CA is in OS/browser trust store.
Example Chain:
example.com → Sectigo RSA Domain Validation CA → USERTrust RSA CA → AddTrust External CA Root
Missing intermediates? Chain shattered.
III. Terminal Warfare: OpenSSL’s Scalpel
Command-line tools expose deeper rot.
A. Validate Certificate Chain
openssl s_client -connect example.com:443 -servername example.com -showcerts 2>/dev/null | openssl x509 -noout -text- Output Clues:
verify error:num=20:unable to get local issuer certificate→ Missing intermediate.verify return:1→ Partial trust.
B. Check Revocation Status
OCSP (Online Certificate Status Protocol):
openssl s_client -connect example.com:443 -servername example.com -status 2>/dev/null | grep -A 17 "OCSP"Response verify OK→ Cert valid.Revoked→ Dead on arrival.
Offenders: Blacklisted certs (e.g., post-Symantec 2018 purge).
IV. Web Tools: Third-Party Vigilantes
Leverage scanners for impartial audits:
| Tool | Insight |
|---|---|
| SSL Labs Test | Certificate trust chain, protocol/cipher flaws |
| Why No Padlock? | Mixed content, insecure redirects |
| CRT.sh | Search for rogue/duplicate certs |
Example SSL Labs Report Flaws:
Chain issues - Incomplete→ Missing intermediates.This server's certificate is not trusted→ Self-signed.
V. OS/Device-Specific Quirks
Trust stores vary. A cert trusted on macOS may fail on Android.
| Platform | Trust Store Location |
|---|---|
| Windows | certlm.msc (Local Machine Certificates) |
| macOS | Keychain Access → System Roots |
| Linux | /etc/ssl/certs/ + update-ca-certificates |
Pro Tip: Cross-test using VM/device emulators.
VI. Worst-Case Scenarios & Fixes
| Symptom | Solution |
|---|---|
| Untrusted CA | Reissue via trusted CA (e.g., DigiCert) |
| Mismatched SANs | Regenerate CSR with correct domains |
| Expired Cert | Renew (auto: Certbot; manual: CA dashboard) |
| Revoked Cert | Replace with new cert (root cause: breach) |
| Self-Signed Cert | Deploy for testing; replace with CA-signed |
Epilogue: Trust No One—Verify Everything
SSL trust is a fragile pact. Regular audits, automated monitoring (e.g., Certbot renewals), and browser-alignment are non-negotiable.
Final Checklist:
- Weekly: Browser/SSL Labs scan.
- Monthly: Rotate weak keys (RSA → ECC).
- Quarterly: Purge dead CAs from trust stores.
Your HTTPS castle crumbles not by force, but by neglect.
