How can I Troubleshoot a Digital Certificate?

Certificate Chaining Procedures
A chained cert is one file that contains all of the certs either in forward or reversed order. That is your server cert, the intermediate cert(s), and the root cert. Depending on what format you need, using a text editor, you'll want to combine the certificate files.

= = = = = UPDATE 05/30/2020 = = = = =

After the Certificate Authority (CA) root certificates expired in May 30, 2020; this process had helped our devices, sites, and services become trusted.

Install all of the following certificates below in order to establish trust on both current and cross-signed (legacy) chains of trust.

The modern roots:

USERTrust RSA Certification Authority -

COMODO RSA Certification Authority -

The cross-signed certificates:

AAA Certificate Services self-signed root [expiring 2028] -

AAA Certificate Services - USERTrust RSA Certification Authority -

AAA Certificate Services - Comodo RSA Certification Authority -


= = = = = END OF UPDATE = = = = =

Basic certificate

X509 Certificate only, Base64 encoded:
  • Server

Intermediate certificate (choose one)

X509 Intermediates/root only, Base64 encoded:
  • AddTrust External CA Root
  • USERTrust RSA Certification Authority
  • InCommon RSA Server CA
X509 Intermediates/root only Reverse, Base64 encoded:
  • InCommon RSA Server CA
  • USERTrust RSA Certification Authority
  • AddTrust External CA Root

Verify the certificate

You can check the certs using the OpenSSL:
openssl x509 -in "filename.cer" -text -noout

Or using an online certificate decoder:


Please note that each individual certificate must begin with "-----BEGIN CERTIFICATE-----" and end with "-----END CERTIFICATE-----"

You'll see that the Intermediate/root certs have two certs each wrapped in its own BEGIN and END statement.

CER files are actually in PEM format -- no conversion needed.

If you need to covert the PEM to a PKCS with the key use this OpenSSL command.

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

In order to use the command above, you'll need the key file that Chad used to create the CSR on July 11th. If that key file is no longer accessible then you'll have to create a new CSR with a new key and send us the CSR so that we can generate a new cert. Your key is private and we do not need it to create your cert.

Keywords:ssl tls digital certificate x509 pkcs cer pem troubleshooting, SSL/TLS Certificates   Doc ID:93740
Owner:Jason R.Group:University of Illinois at Chicago ACCC
Created:2019-08-09 15:37 CDTUpdated:2020-07-08 12:49 CDT
Sites:University of Illinois at Chicago ACCC
Feedback:  2   0