SSL Certificates - How to verify that your intermediate certificates are installed correctly

This article details different methods available to verify your SSL certificate is installed correctly.

Typically, after installing a certificate on a server we test the installation using various browsers. This works okay as long as you delete the intermediate certificate (not the root certificate) from your browser.  During SSL negotiation the server should send the end entity SSL certificate and the intermediate certificate to the client (browser), if the intermediate certificate is properly installed on the server.  In our case, the InCommon intermediate certificate should be downloaded to the client. 

Alternatively if you have openssl available, you can test whether or not the intermediate certificate is installed correctly by executing this command:

openssl s_client -showcerts -connect [webservertotest.wisc.edu]

OR

openssl s_client -connect [webservertotest.wisc.edu]:443 -CAfile AddTrustRoot.cer

The command should return status code of 0 if everything is in order.

Note: Use the appropriate substitution for your particular situation.  For example, replace "webservertotest.wisc.edu" with the CN of the webserver you are configuring, modify the port number if needed, and make sure you have a copy of the root certificate which I named "AddTrustRoot.cer" 

Alternatively, you can use the following on-line tool to test your web site.

http://www.ssltool.com/?action=sslCheckOpenSSL




Keywords:server certificates ssl incommon comodo   Doc ID:20264
Owner:Michael G.Group:Digital ID
Created:2011-09-14 15:05 CDTUpdated:2016-05-24 17:13 CDT
Sites:Digital ID, DoIT Help Desk, DoIT Staff, Office of Campus Information Security
Feedback:  7   7