I have created my own CA and an Intermediate CA
The Intermediate CA is signed from the self-signed CA and then I create a private key and a certificate for the web sites I have in my lab. The certificate has as common name the FQDN of the server (which is the same as the CA/IntCA).
The certificate has all the sites in the Subject Alternative Names.
Apache is configured like this for all sites:
# HTTP
<VirtualHost *:80>
ServerName trd.example.com
# Redirect any HTTP request to HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{SERVER_NAME}/$1 [R,L]
# Logging
LogLevel warn
ErrorLog logs/trd.example.com-error_log
CustomLog logs/trd.example.com-access_log combined
</VirtualHost>
<VirtualHost *:443>
ServerName trd.example.com
SSLEngine on
SSLCertificateKeyFile /etc/pki/tls/private/server.example.com_key.pem
SSLCertificateFile /etc/pki/tls/certs/server.example.com_chain.pem
Protocols h2 http/1.1
Header always set Strict-Transport-Security "max-age=63072000"
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
DocumentRoot /var/www/sites/trd
# Logging
LogLevel warn
ErrorLog logs/trd.example.com-error_log
CustomLog logs/trd.example.com-access_log combined
</VirtualHost>
The file server.example.com_chain.pem contains the site's certificate and the Intermediate's CA certificate. Apache starts, but then, when I connect to any site either with Firefox or Chrome, I get SSL errors.
I tried to verify the ssl with the openssl command and I get this error:
Verify return code: 7 (certificate signature failure)
The full output of the command is:
$ openssl s_client -connect trd.example.com:443
openssl s_client -connect trd.example.com:443
CONNECTED(00000003)
depth=2 C = UN, ST = Locality, L = City, O = MyCompany LTD, OU = IT, CN = myCA, emailAddress = [email protected]
verify return:1
depth=1 C = UN, ST = Locality, L = City, O = MyCompany LTD, OU = IT, CN = myCA1, emailAddress = [email protected]
verify return:1
depth=0 C = UN, ST = Locality, L = City, O = MyCompany LTD, OU = IT, CN = server.example.com, emailAddress = [email protected]
verify error:num=7:certificate signature failure
verify return:1
depth=0 C = UN, ST = Locality, L = City, O = MyCompany LTD, OU = IT, CN = server.example.com, emailAddress = [email protected]
verify return:1
---
Certificate chain
0 s:C = UN, ST = Locality, L = City, O = MyCompany LTD, OU = IT, CN = server.example.com, emailAddress = [email protected]
i:C = UN, ST = Locality, L = City, O = MyCompany LTD, OU = IT, CN = myCA1, emailAddress = [email protected]
1 s:C = UN, ST = Locality, L = City, O = MyCompany LTD, OU = IT, CN = myCA1, emailAddress = [email protected]
i:C = UN, ST = Locality, L = City, O = MyCompany LTD, OU = IT, CN = myCA, emailAddress = [email protected]
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEuzCCBB2gAwIBAgIUXaYFIVHY33EeSst3A22ExUzKjf8wCgYIKoZIzj0EAwIw
....
MQhgl8SAmayZK81mLpvO7SoUEjOUYyKzht08qjSJACDwGhFL5YuXydWcuTDPN+tv
CzYVuHq/HJcX8zocGzhz
-----END CERTIFICATE-----
subject=C = UN, ST = Locality, L = City, O = MyCompany LTD, OU = IT, CN = server.example.com, emailAddress = [email protected]
issuer=C = UN, ST = Locality, L = City, O = MyCompany LTD, OU = IT, CN = myCA1, emailAddress = [email protected]
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3566 bytes and written 396 bytes
Verification error: certificate signature failure
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 7 (certificate signature failure)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 6999AE5E768A5068199C8AEC33395E11CAA6CD9A9AA00952C4EDED9FB14A6DCA
Session-ID-ctx:
Resumption PSK: F09B2927E48D9934395D9FB1364D70DE798EF30694687B0918B4517F8BD2B83E70FDA60640C9165FAF19EE81DAD97C03
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 27 c8 f4 bd 54 77 e3 70-9a 22 1e 9a 85 c6 07 92 '...Tw.p."......
0010 - 61 0c f4 33 53 aa 62 ba-ff fe a9 84 3f c6 35 32 a..3S.b.....?.52
0020 - 1b 70 e8 5e 67 ad 82 b0-70 a4 da 20 ae 18 8e ef .p.^g...p.. ....
0030 - bf b1 cf f6 1b ea 1d 4d-9e eb 8d 9f 80 ee 66 93 .......M......f.
0040 - a7 5e 53 54 a9 89 6e 5a-59 62 cc ac d6 90 91 1e .^ST..nZYb......
0050 - 3f db 75 f0 5c f9 72 3c-a3 8b c9 77 16 9f bf 4d ?.u.\.r<...w...M
0060 - ae 65 5a 5e 05 ae 84 45-8b 48 f7 a8 99 08 c1 c0 .eZ^...E.H......
0070 - d0 66 3f 54 c6 1f ca e3-1d a6 50 22 ab 92 80 c8 .f?T......P"....
0080 - 7f f5 be 6a 4d 4d 0a 7a-e6 82 6d e0 e6 72 32 e2 ...jMM.z..m..r2.
0090 - d4 ab e2 2a ea cb 00 83-c7 51 de 7c c3 52 1a 5e ...*.....Q.|.R.^
00a0 - 94 3e 38 81 cb 05 27 6e-0a f0 5d 32 27 ea 5f c4 .>8...'n..]2'._.
00b0 - 50 de b0 12 69 6a 3b 4f-ae cc 85 64 a2 93 1a b0 P...ij;O...d....
00c0 - 7d 60 04 6c a3 4b 3c de-7c 08 04 b1 8b 1f 53 d4 }`.l.K<.|.....S.
00d0 - 1e db 57 ca 08 f8 0c 8a-45 84 fe a7 f4 eb 88 2c ..W.....E......,
00e0 - 90 f5 96 f1 6a c4 54 eb-16 54 86 6c 9f bc b8 52 ....j.T..T.l...R
Start Time: 1585135481
Timeout : 7200 (sec)
Verify return code: 7 (certificate signature failure)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 844AB89D046A9564B4F71DE1689D63E295D796AA3DB3C97360A276216A711052
Session-ID-ctx:
Resumption PSK: 10DBA6252AECC4DC7A9567DA8CDA7C4B6695E0788D33533F155726628A8CBE9DC361A977473759402A9E2D2EA15698A7
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 27 c8 f4 bd 54 77 e3 70-9a 22 1e 9a 85 c6 07 92 '...Tw.p."......
0010 - 7b f3 f1 29 8d 79 74 0f-43 bc f1 40 70 16 52 99 {..)[email protected].
0020 - 78 6f e8 14 bc 4b 34 f8-7f 03 1c 26 70 6f d9 94 xo...K4....&po..
0030 - 92 e7 b4 b2 19 68 37 95-1e ab fa 42 ea ee de 4c .....h7....B...L
0040 - 45 da 86 c5 db 30 1a 60-91 85 d5 9e 05 0b e4 5f E....0.`......._
0050 - 5e eb c8 b8 94 f5 e0 a5-01 1c 60 cc 7c a0 bc 70 ^.........`.|..p
0060 - 10 55 c7 48 1c 2a 2b 57-06 ad dc b9 c1 56 e7 34 .U.H.*+W.....V.4
0070 - 4b bd 59 67 ad f0 d7 55-a3 07 26 10 7f c5 4f 87 K.Yg...U..&...O.
0080 - 96 7f 43 bf 8c 1b f5 84-37 f5 47 99 c7 8e a4 29 ..C.....7.G....)
0090 - 9f b6 43 79 43 27 04 33-7c 5d 2a ef cf 2c 15 1d ..CyC'.3|]*..,..
00a0 - 14 d0 a3 a1 4b ef c2 a2-02 c5 4c 75 74 08 d5 cf ....K.....Lut...
00b0 - 47 cc 02 fb a3 c2 e0 d8-87 ad e1 3b c6 f4 d6 aa G..........;....
00c0 - e6 cb a1 a8 6c e9 c9 e8-56 0a bf d4 3e fa 08 a0 ....l...V...>...
00d0 - 26 02 82 36 33 71 db 9f-bf ce b8 8f d7 ef 75 b3 &..63q........u.
00e0 - fb d1 38 56 81 b0 ed f6-c6 35 66 e3 87 bd 68 d9 ..8V.....5f...h.
Start Time: 1585135481
Timeout : 7200 (sec)
Verify return code: 7 (certificate signature failure)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
This is my chain certificate:
openssl x509 -text -noout -subject -in /etc/pki/tls/certs/server.example.com_chain.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
5d:a6:05:21:51:d8:df:71:1e:4a:cb:77:03:6d:84:c5:4c:ca:8d:ff
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = UN, ST = Locality, L = City, O = MyCompany LTD, OU = IT, CN = myCA1, emailAddress = [email protected]
Validity
Not Before: Mar 24 16:42:09 2020 GMT
Not After : Jan 15 11:00:00 2030 GMT
Subject: C = UN, ST = Locality, L = City, O = MyCompany LTD, OU = IT, CN = server.example.com, emailAddress = [email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
00:eb:a7:c3:a0:23:d6:7a:ac:fb:4c:70:e1:cf:b9:
f2:4d:ff:d8:ed:9d:40:cb:e4:68:67:b0:02:d2:25:
03:15:37:18:31:e0:90:7f:2c:ff:dd:ef:da:64:9d:
e8:86:48:b3:75:9b:a7:8e:b2:70:e2:fb:d0:c3:b3:
74:42:52:57:65:35:db:0e:4f:57:57:a6:3c:ee:7b:
33:7d:1d:0e:25:e0:4a:eb:26:0c:f3:2b:04:23:c5:
6c:c0:95:0b:06:61:33:7d:ca:be:c3:b9:fa:f0:b2:
01:eb:9d:55:8d:cb:1f:3c:96:78:6a:8b:9e:66:9c:
26:6b:fa:8a:d9:2a:2c:3a:bf:73:97:78:4b:a8:6f:
41:7f:0a:f0:4a:63:e5:92:ca:f8:f8:7b:cf:0c:b2:
f3:7c:4d:ca:75:ed:0a:b2:99:f0:75:e0:7c:9f:e7:
b5:53:9a:08:3d:71:5d:f6:39:91:85:1e:47:04:0f:
5a:a2:26:b5:5f:4e:2d:d9:95:3b:32:88:b8:f4:54:
5e:1e:64:11:cd:cb:3c:17:4d:d3:a5:c7:bb:88:1c:
01:db:43:ee:b8:16:f8:95:c8:37:96:de:c1:3e:cd:
a9:f9:7c:f6:94:fb:a6:6d:67:9d:69:24:0b:0e:43:
b2:94:6d:54:61:04:41:c3:e9:ed:0f:80:e8:3b:69:
ca:f2:76:39:7b:f6:6c:48:4c:94:0a:cc:57:50:14:
1e:c7:7f:c7:b5:98:e7:50:a7:ea:f8:9b:73:ad:77:
be:ab:2d:7b:e6:c3:e8:2b:8a:bd:3b:26:b3:7b:a0:
4f:90:96:6e:92:50:d5:8c:a0:5a:c8:2e:9f:82:52:
35:82:f5:5d:0e:e8:fb:89:f2:b3:ef:85:ae:ae:fe:
ea:52:75:2e:dd:ad:a5:a2:ff:2d:22:df:8c:50:39:
f6:d1:30:8b:73:c9:a5:da:d6:28:96:db:9b:55:d7:
bd:30:fc:ec:3e:3c:10:94:9f:05:39:63:1c:2d:37:
56:d5:33:ed:cc:5d:d6:0c:df:57:2b:9c:07:35:8e:
20:74:9f:53:09:08:32:26:a8:11:e8:6e:98:d4:a3:
b9:4a:40:28:5b:e0:9d:41:2a:07:bc:cd:fb:2a:6c:
fb:cd:55:c8:fa:a9:7b:68:76:bb:79:58:30:96:97:
c1:db:b3:fe:b6:05:94:bf:a7:49:03:9f:e8:fe:b0:
88:6f:3f:52:a9:ac:86:72:df:20:19:df:80:76:85:
72:0e:a6:d5:fe:34:b6:21:d4:19:5e:c1:96:c0:ca:
58:da:69:f8:41:07:66:17:98:bf:62:0b:97:c1:fa:
f1:39:a1:df:13:0f:8f:15:9f:e0:d0:04:6e:38:50:
51:2a:27
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name: critical
DNS: server.example.com, DNS: db.example.com, DNS: trd.example.com
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints: critical
CA:FALSE
Signature Algorithm: ecdsa-with-SHA256
30:81:87:02:42:01:15:65:da:1f:05:77:50:36:05:6f:06:17:
85:aa:29:9b:12:e0:ae:c6:75:03:71:c2:b5:19:a4:57:35:43:
ca:28:a5:54:87:3f:a1:69:c8:8d:67:dd:8f:d5:78:e5:f3:40:
ba:09:24:4c:db:3e:e5:9e:c0:65:05:94:07:a9:29:e6:d1:02:
41:37:da:31:08:60:97:c4:80:99:ac:99:2b:cd:66:2e:9b:ce:
ed:2a:14:12:33:94:63:22:b3:86:dd:3c:aa:34:89:00:20:f0:
1a:11:4b:e5:8b:97:c9:d5:9c:b9:30:cf:37:eb:6f:0b:36:15:
b8:7a:bf:1c:97:17:f3:3a:1c:1b:38:73
subject=C = UN, ST = Locality, L = City, O = MyCompany LTD, OU = IT, CN = server.example.com, emailAddress = [email protected]
And this is the certificate of my CA:
openssl x509 -text -noout -subject -in /etc/pki/ca/certs/MyCA_crt.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
71:....:19:90:e4
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = UN, ST = Locality, L = City, O = MyCompany LTD, OU = IT, CN = myCA, emailAddress = [email protected]
Validity
Not Before: Mar 24 09:33:34 2020 GMT
Not After : Mar 1 11:00:00 2030 GMT
Subject: C = UN, ST = Locality, L = City, O = MyCompany LTD, OU = IT, CN = myCA, emailAddress = [email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
00:...:61
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS: server.example.com
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:1
Signature Algorithm: sha256WithRSAEncryption
09:...29
subject=C = UN, ST = Locality, L = City, O = MyCompany LTD, OU = IT, CN = myCA, emailAddress = ...
And this is the CA1 certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
47:d8:98:93:...:92:75:15:c2:cf:20:13
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = UN, ST = Locality, L = City, O = MyCompany LTD, OU = IT, CN = myCA, emailAddress = [email protected]
Validity
Not Before: Mar 24 09:33:37 2020 GMT
Not After : Feb 1 11:00:00 2030 GMT
Subject: C = UN, ST = Locality, L = City, O = MyCompany LTD, OU = IT, CN = myCA1, emailAddress = [email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
00:9e:e4:fd:a2:d5:73:b9:9a:ed:5c:aa:5a:c8:50:
9d:66:b1:0c:43:d3:33:72:5a:32:95:b9:fb:70:fa:
...
0a:b8:83:f2:d2:02:91:8b:f9:40:6d:5d:ab:21:b7:
79:4a:53:b4:b4:d2:c7:e3:ac:bb:64:25:1a:90:07:
eb:fe:22:ba:d3:98:33:d9:18:5b:8f:0d:52:0d:02:
20:57:61
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS: server.example.com
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
Signature Algorithm: sha256WithRSAEncryption
8d:27:2a:ed:eb:7b:dc:35:d2:65:10:58:1b:71:a4:d9:73:28:
06:8d:b5:ae:25:0c:29:e1:8c:7c:4f:3b:44:2d:05:d6:d8:ee:
c4:47:c2:4f:15:57:59:95:85:0b:78:d0:95:43:9d:1c:29:40:
5a:46:72:a0:88:95:18:98:5c:b2:61:9c:fc:05:67:a0:b0:a4:
...
d8:b9:c7:7a:ed:fa:47:46:72:a7:ce:bf:9a:64:c2:2f:b7:7f:
d5:9a:a1:73:d2:bb:b2:55:2d:fb:ef:7c:1d:4e:89:07:8d:9b:
81:98:fa:50:ec:8c:63:e5
subject=C = UN, ST = Locality, L = City, O = MyCompany LTD, OU = IT, CN = myCA1, emailAddress = [email protected]
How can I find what is wrong with it???
The full certificate chain is the following:
-----BEGIN CERTIFICATE-----
MIIEuzCCBB2gAwIBAgIUXaYFIVHY33EeSst3A22ExUzKjf8wCgYIKoZIzj0EAwIw
gZQxCzAJBgNVBAYTAkdSMQ8wDQYDVQQIDAZBdHRpY2ExFTATBgNVBAcMDEFyZ3ly
b3Vwb2xpczEdMBsGA1UECgwUUGV0ZXIgVHNlbGlvcyAtIEhvbWUxCzAJBgNVBAsM
AklUMREwDwYDVQQDDAhob21lLUNBMTEeMBwGCSqGSIb3DQEJARYPaG9zdG1hc3Rl
ckBob21lMB4XDTIwMDMyNDE2NDIwOVoXDTMwMDExNTExMDAwMFowgZcxCzAJBgNV
BAYTAkdSMQ8wDQYDVQQIDAZBdHRpY2ExFTATBgNVBAcMDEFyZ3lyb3Vwb2xpczEd
MBsGA1UECgwUUGV0ZXIgVHNlbGlvcyAtIEhvbWUxCzAJBgNVBAsMAklUMRQwEgYD
VQQDDAtzZXJ2ZXIuaG9tZTEeMBwGCSqGSIb3DQEJARYPaG9zdG1hc3RlckBob21l
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA66fDoCPWeqz7THDhz7ny
Tf/Y7Z1Ay+RoZ7AC0iUDFTcYMeCQfyz/3e/aZJ3ohkizdZunjrJw4vvQw7N0QlJX
ZTXbDk9XV6Y87nszfR0OJeBK6yYM8ysEI8VswJULBmEzfcq+w7n68LIB651Vjcsf
PJZ4aoueZpwma/qK2SosOr9zl3hLqG9BfwrwSmPlksr4+HvPDLLzfE3Kde0Kspnw
deB8n+e1U5oIPXFd9jmRhR5HBA9aoia1X04t2ZU7Moi49FReHmQRzcs8F03Tpce7
iBwB20PuuBb4lcg3lt7BPs2p+Xz2lPumbWedaSQLDkOylG1UYQRBw+ntD4DoO2nK
8nY5e/ZsSEyUCsxXUBQex3/HtZjnUKfq+JtzrXe+qy175sPoK4q9Oyaze6BPkJZu
klDVjKBayC6fglI1gvVdDuj7ifKz74Wurv7qUnUu3a2lov8tIt+MUDn20TCLc8ml
2tYoltubVde9MPzsPjwQlJ8FOWMcLTdW1TPtzF3WDN9XK5wHNY4gdJ9TCQgyJqgR
6G6Y1KO5SkAoW+CdQSoHvM37Kmz7zVXI+ql7aHa7eVgwlpfB27P+tgWUv6dJA5/o
/rCIbz9SqayGct8gGd+AdoVyDqbV/jS2IdQZXsGWwMpY2mn4QQdmF5i/YguXwfrx
OaHfEw+PFZ/g0ARuOFBRKicCAwEAAaN9MHswWwYDVR0RAQH/BFEwT4IMIHNlcnZl
ci5ob21lggsgbXlzcWwuaG9tZYINIHBocGlwYW0uaG9tZYIOIGFkbWluLmYxLmhv
bWWCCCBmMS5ob21lggkgdHJkLmhvbWUwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB
/wQCMAAwCgYIKoZIzj0EAwIDgYsAMIGHAkIBFWXaHwV3UDYFbwYXhaopmxLgrsZ1
A3HCtRmkVzVDyiilVIc/oWnIjWfdj9V45fNAugkkTNs+5Z7AZQWUB6kp5tECQTfa
MQhgl8SAmayZK81mLpvO7SoUEjOUYyKzht08qjSJACDwGhFL5YuXydWcuTDPN+tv
CzYVuHq/HJcX8zocGzhz
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIF9jCCA96gAwIBAgIUR9iYk/cYS7UPoZ9vd5J1FcLPIBMwDQYJKoZIhvcNAQEL
BQAwgZMxCzAJBgNVBAYTAkdSMQ8wDQYDVQQIDAZBdHRpY2ExFTATBgNVBAcMDEFy
Z3lyb3Vwb2xpczEdMBsGA1UECgwUUGV0ZXIgVHNlbGlvcyAtIEhvbWUxCzAJBgNV
BAsMAklUMRAwDgYDVQQDDAdob21lLUNBMR4wHAYJKoZIhvcNAQkBFg9ob3N0bWFz
dGVyQGhvbWUwHhcNMjAwMzI0MDkzMzM3WhcNMzAwMjAxMTEwMDAwWjCBlDELMAkG
A1UEBhMCR1IxDzANBgNVBAgMBkF0dGljYTEVMBMGA1UEBwwMQXJneXJvdXBvbGlz
MR0wGwYDVQQKDBRQZXRlciBUc2VsaW9zIC0gSG9tZTELMAkGA1UECwwCSVQxETAP
BgNVBAMMCGhvbWUtQ0ExMR4wHAYJKoZIhvcNAQkBFg9ob3N0bWFzdGVyQGhvbWUw
ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCe5P2i1XO5mu1cqlrIUJ1m
sQxD0zNyWjKVuftw+naem4fRw0IhFCFeB4dy9sAN3UsByT0FbFxqs5Z2GvNjTtIz
o+zeARI7H5sd0Hym6BiNqteglywwGDe19swT00D0rfNAfuhGIBgCICrKyPHe6b8Z
sFOwWTRy4FA1HI7b4KXkQvSSt/dGD5gzaa/Ase3ayCEdutrCH+5FXazHZTUVculT
gAqbA9zYHOnKUm5D1L+qzfV2jOpn1+FNF4JVpl3EdkLXdx9tmGEVFfwD8n60Mb3b
istCfRBX4SN7MZyqeflmYUfJI2vBQO1dbhC1E2lFbCSmyaxItw5dABZQWKoSql6g
q1ExPCC6WgX7+hsfIlA10hceI465OoKCk2JbtbWTcEZAlUZw9zk98EAReg2inA1Q
U8D2sz+Q+uZay74uEt11fY/cKIrjTkvusVj/YxmBbSvcpoiaX1Ru8NsiNH7wUpRd
qC+xDlCTmAnH9lQpMrPK2iHVTKx69PThCpfM5VW6OurQLDYqmoNh2EMhDUsH+IPY
oREIUi52mQRHHql2m1m7T39UyllCJN4C54FFqdaEi+hAQ1mc707bYw/OcNrH8vis
X1xwHw7Q9nWZJPHcED7Eiwq4g/LSApGL+UBtXasht3lKU7S00sfjrLtkJRqQB+v+
IrrTmDPZGFuPDVINAiBXYQIDAQABoz8wPTAXBgNVHREEEDAOggwgc2VydmVyLmhv
bWUwDgYDVR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQAwDQYJKoZIhvcN
AQELBQADggIBAI0nKu3re9w10mUQWBtxpNlzKAaNta4lDCnhjHxPO0QtBdbY7sRH
wk8VV1mVhQt40JVDnRwpQFpGcqCIlRiYXLJhnPwFZ6CwpKde37l2jyXEvORKbN/p
BTaRX7gD8KUM9ambzYhcX6zKhJkF6wxigBstUWGGiVcDg51gGS7TvahqzMlDY1e5
mARMYnQdSQN6mBonvjHo0vo5vY4f6aHCxLQpMkpGOstCShHKCUTF+dU98XDvWyEL
Yxk3XwuXb6TltjPM7Y/9BrRlhj8lGjOTJzXReR7pvikPCZFIi6clwuUjE+QzmVda
2wLzk3YSrJRpbFZWf5Zt69nl0D3pG/HQLFTBLZxlvYndB2jQw+yuRwdaY+m3b4bb
UXP6kk00QQEcCiROJ73tmT2RQ2sRLDL6vnPVxWQeWq9nfiXCQR9N8R6yK0Sb6x0C
6yvgyVm6MFxqY7rPCrkiKMkz4ZnN4f03Ri258UFCZnlNs3KvTQ1AoqYVLOKzwe0M
o6YroN411dikyiEOcUH4IbY3i/Nof8udRHIlexTrwWne0o88XXeNydGnAQ3qQajh
WPe34cOGeh7eIa0n4fzmt5/LaLUJzp8RGPNGiUIu7c+D+Hm3NKiciKwZOOtY49i5
x3rt+kdGcqfOv5pkwi+3f9WaoXPSu7JVLfvvfB1OiQeNm4GY+lDsjGPl
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIF9TCCA92gAwIBAgIUcTvrJuFA4Lwln6Ex1fIJLCIZkOQwDQYJKoZIhvcNAQEL
BQAwgZMxCzAJBgNVBAYTAkdSMQ8wDQYDVQQIDAZBdHRpY2ExFTATBgNVBAcMDEFy
Z3lyb3Vwb2xpczEdMBsGA1UECgwUUGV0ZXIgVHNlbGlvcyAtIEhvbWUxCzAJBgNV
BAsMAklUMRAwDgYDVQQDDAdob21lLUNBMR4wHAYJKoZIhvcNAQkBFg9ob3N0bWFz
dGVyQGhvbWUwHhcNMjAwMzI0MDkzMzM0WhcNMzAwMzAxMTEwMDAwWjCBkzELMAkG
A1UEBhMCR1IxDzANBgNVBAgMBkF0dGljYTEVMBMGA1UEBwwMQXJneXJvdXBvbGlz
MR0wGwYDVQQKDBRQZXRlciBUc2VsaW9zIC0gSG9tZTELMAkGA1UECwwCSVQxEDAO
BgNVBAMMB2hvbWUtQ0ExHjAcBgkqhkiG9w0BCQEWD2hvc3RtYXN0ZXJAaG9tZTCC
AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJ7k/aLVc7ma7VyqWshQnWax
DEPTM3JaMpW5+3D6dp6bh9HDQiEUIV4Hh3L2wA3dSwHJPQVsXGqzlnYa82NO0jOj
7N4BEjsfmx3QfKboGI2q16CXLDAYN7X2zBPTQPSt80B+6EYgGAIgKsrI8d7pvxmw
U7BZNHLgUDUcjtvgpeRC9JK390YPmDNpr8Cx7drIIR262sIf7kVdrMdlNRVy6VOA
CpsD3Ngc6cpSbkPUv6rN9XaM6mfX4U0XglWmXcR2Qtd3H22YYRUV/APyfrQxvduK
y0J9EFfhI3sxnKp5+WZhR8kja8FA7V1uELUTaUVsJKbJrEi3Dl0AFlBYqhKqXqCr
UTE8ILpaBfv6Gx8iUDXSFx4jjrk6goKTYlu1tZNwRkCVRnD3OT3wQBF6DaKcDVBT
wPazP5D65lrLvi4S3XV9j9woiuNOS+6xWP9jGYFtK9ymiJpfVG7w2yI0fvBSlF2o
L7EOUJOYCcf2VCkys8raIdVMrHr09OEKl8zlVbo66tAsNiqag2HYQyENSwf4g9ih
EQhSLnaZBEceqXabWbtPf1TKWUIk3gLngUWp1oSL6EBDWZzvTttjD85w2sfy+Kxf
XHAfDtD2dZkk8dwQPsSLCriD8tICkYv5QG1dqyG3eUpTtLTSx+Osu2QlGpAH6/4i
utOYM9kYW48NUg0CIFdhAgMBAAGjPzA9MBcGA1UdEQQQMA6CDCBzZXJ2ZXIuaG9t
ZTAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBATANBgkqhkiG9w0B
AQsFAAOCAgEACX4JY3a/zn0YKxIB2xfQYAk6NwCa6uKRBXbD2jSCmTlfwFGiJjeW
lwXyylcZ9Hrk1S15hvfk0malDlGso1m3nqxmyUdo93/A+Yckdp2Zo1UlkagPziJB
zkpVeQKLV8cZgUpK/JpMAwjfEHMCgSVVVUPAML7UxwqTsJ+KPsuCXgZWVCvI1duu
PI+jmNdNBqCQBbWRd0wPNvSpZAtRJMTKP1hC02aN+RIOslwqpl28h6FTwEXCZdsb
4JW26xMSAnf9j6O3Zsd1b3qtxJ/dMPvSruQB7JPpjPlGYLWKIHnmXZgmkV+ybbu6
eFZBr9eUN5+ZcvNF7CF3MYmVerIyssXHz5pcPzQDgXeNVtdix0qjSr7i53jq60wt
hKgB4MHlxCce8IS8cf94JZuTaLtcVkaX4CgZAKen3BGuSTlSQ3SA30fVIimKn5ro
EYNujxtRr4SZ0geVfIN3dwR14Yly75qEvN7zrt8pjQoKAGdKhSpRlvjjJ1dgz+Zg
BLCqq//r29yLgSk25smbquPDTq+mG9rxow/HraEg+PJdSTrE+qXD6Ue+sC5WN8zn
Bx7HfoVbye/Kel+ueT/FlSoHjegYOkSwAQ5XGtWfbsEgDVGLgl9lk2TBo6IebgLP
mRogbluFWxvlKN8wL5kuTMfGB6SJx+2ho1rhZsWHIgb/ShATeTax4Ck=
-----END CERTIFICATE-----
So, how can I find what is wrong with my certificates?
