Day 32: Debugging Certificates

Phase 1 · June 14, 2026

Agenda (2–3 hours)

• Read (30 min): Review RFC 5280 §6 error conditions; TLS alert descriptions from Day 17
• Study (30 min): Common cert failure modes and their openssl diagnostics
• Practice (90 min): Reproduce and diagnose 8 certificate error scenarios
• Challenge (30 min): Debugging runbook

The Certificate Debugging Toolkit

# Inspect a cert
openssl x509 -in cert.pem -noout -text

# Verify a chain
openssl verify -CAfile root.pem -untrusted intermediate.pem leaf.pem

# Connect and inspect (shows verification errors)
openssl s_client -connect host:443 -CAfile ca.pem

# Check cert expiry
openssl x509 -in cert.pem -noout -dates
openssl x509 -in cert.pem -noout -checkend 86400  # expires in next 24h?

# Parse ASN.1
openssl asn1parse -in cert.pem

# Show OCSP response
openssl s_client -connect host:443 -status 2>/dev/null | grep OCSP

Common Failure: Expired Certificate

Verify return code: 10 (certificate has expired)

Cause: current time is past NotAfter.
Diagnosis: openssl x509 -noout -dates
Fix: renew the certificate.

Automation note: set up monitoring on NotAfter - 30 days. Never let certs expire in prod.
For Lambda-based provisioning: DynamoDB TTL on cert records can trigger renewal workflows.

Common Failure: Unknown CA

Verify return code: 19 (self signed certificate in certificate chain)
Verify return code: 20 (unable to get local issuer certificate)

Cause: trust anchor not in trust store, or intermediate CA cert not provided.
Diagnosis: openssl verify -verbose to see which cert in the chain fails.
Fix: install root CA cert, or configure server to send full chain.

In Rust/rustls: RootCertStore must contain the root CA cert.
with_root_certificates(webpki_roots::TLS_SERVER_ROOTS) for public PKI.
add(cert) for private PKI trust anchors.

Common Failure: Hostname Mismatch

SSL: certificate subject name 'api.internal.example.com'
     does not match target host name 'api.example.com'

Cause: cert's SANs don't include the hostname being connected to.
Diagnosis: openssl x509 -noout -text | grep -A5 "Subject Alternative"
Fix: reissue cert with correct SANs.

In rustls: ServerName::try_from("hostname") must match a SAN in the cert.

Common Failure: Missing Intermediate

Verify return code: 21 (unable to verify the first certificate)

Cause: server only sent leaf cert, not the intermediate CA cert(s).
Client can't build a chain to a trusted root without the intermediate.

Diagnosis: openssl s_client -showcerts — count the certs returned.
Fix: configure server to send the full chain (leaf + all intermediates, no root).

Practice Exercise

Using badssl.com and your local test PKI:

# Run each of these and document the exact error
openssl s_client -connect expired.badssl.com:443 2>&1 | grep "verify error"
openssl s_client -connect wrong.host.badssl.com:443 2>&1 | grep "verify error"
openssl s_client -connect self-signed.badssl.com:443 2>&1 | grep "verify error"
openssl s_client -connect untrusted-root.badssl.com:443 2>&1 | grep "verify error"
openssl s_client -connect revoked.badssl.com:443 2>&1 | grep "verify error"

Challenge Assignment

Create cert_debugging_runbook.md with a table:

Fill in every column from lab results and RFC 5280 §6.

Resources

• openssl-verify(1): return codes
• RFC 5280 §6: path validation error conditions
• badssl.com: test endpoints for each error scenario
• Your runbook becomes a reference artifact to bring back to your team