Decoder.link user guide

This article is an overview of the functionality of the SSL Installation checker available via the following link: https://decoder.link/sslchecker/


SSL checker

This tab allows you to check your SSL status and other needed information about your domains. To check a domain/subdomain and its SSL certificate, paste the fully-qualified domain/subdomain name (FQDN) (e.g. namecheap.com) in the "Hostname" field and make sure to select the appropriate port (443 is used by default). If your SSL is viable, a blue window will appear under the "Report" section.


Report

This section summarizes the analysis performed and gives a general picture of the domain settings.

  • “Hostname” - match/mismatch - shows whether the common name in the certificate matches the domain/subdomain you entered for checking;
  • “Expired” - Yes/No, with days counter - shows whether the SSL currently installed for the domain you’re checking is valid or expired. If it is still valid, it will also show how many days remain;
  • “Public Key” - contains the following markings for the end-entity certificate:

    • RSA key size – should comply with 2048/4096 bits size;
    • ECDSA curves - checks if the ECDSA curve is supported by most SSL/TLS clients;
    • DSA - checks if the certificate contains a DSA key;
  • “Trusted” - Yes/No, whether or not the certificate chain can be verified against the browser's trusted storage;
  • “Self-Signed” - Yes/No - checks if the end-entity certificate is self-signed;
  • “Chain Issues” - Yes/No, checks if the server supplies intermediate certificates and if each certificate in the chain directly signs the preceding one;
  • “Weak signatures” - Yes/No, checks if the chain contains certificates (excluding root certificate) signed with a weak hash function (e.g. MD5, SHA1);
  • “OCSP Status” - checks the revocation status of the certificates in the OCSP responder.

Below is the table listing the possible results in the fields mentioned above and their meaning

Field Positive result Negative result
Hostname Matches Common Name or/and SAN Doesn't match Common Name or/and SANs
Expired No (X days till expiration) Yes (expired X days ago)
Public Key We were unable to find any issues in the public key of end-entity certificate RSA key size is too small, current industry standard for RSA keys is 2048 bits
Trusted Yes, we were able to verify the certificate We were unable to verify this certificate
Self-Signed No, the end-entity certificate is not self-signed The end-entity certificate is self-signed
Chain Issues No, we were unable to detect any issues in the certificate chain sent by the server

The chain doesn't contain any intermediate certificates

The order of certificates is invalid or certificates cannot build certification path

Weak Signatures No, certificates sent by the server were not signed utilizing a weak hash function End-entity or/and intermediate certificate(s) was signed utilizing a weak hash function
OCSP Status OCSP Responder returned "good" status for the end-entity certificate Certificate has been revoked


DNS Information

  • Resolves To: shows the IP address of your server;
  • Reverse IP lookup: shows the server hostname;
  • Nameserver: NS records;
  • Note: shows if the check detects Namecheap hosting or default nameservers. The check also performs an analysis of PTR records to recognize Namecheap shared hosting and will present a corresponding notification.

The function responsible for DNS lookup is executed independently from the function that tries to perform an SSL/TLS handshake. This means that if there’s no SSL installed on the server, some DNS-related information will still be displayed, even if a handshake can’t be established. Below is an example of a case when the server doesn't send certificates in response:

The reason for this kind of result is to simplify troubleshooting when the issue is caused by DNS issues (e.g., incorrect CNAME/A records, FQDN resolution issues, etc).


General Information

The following information about the SSL certificate can be found in this section:

  • Common Name: common name of the end-entity certificate that is installed on the server;
  • SANs: additional domains/subdomains covered by the end-entity certificate;
  • Organization: the company the certificate was issued for (only if presented in the certificate);
  • Locality: your full city name (only if presented in the certificate);
  • Signature Algorithm: (highlighted when a weak signature is used);
  • Key Type: RSA/ECDSA (highlighted if issues found, the issue description will appear in the "Report" section);
  • Key Size: the bit length of the Private key (e.g. 2048 bits/4096 bits);
  • Not before: "Valid From" value of the end-entity certificate; the first day of the certificate issuance;
  • Not after: "Valid To" value of the end-entity certificate; the expiration date of the certificate;
  • Number of certs: quantity of certificates in the certificate chain;
  • Revocation Status: good/not good;
  • OCSP Stapling: not supported/supported;
  • Server: specifies server type (shows the result of the curl -i command);
  • HSTS: checks whether the server has an HSTS header enabled;
  • HPKP: checks whether the server has an HPKP header enabled.


Chain Information

Describes every certificate listed in the certificate chain separately by the following parameters:

  • In place?: checks whether the certificate directly certifies the preceding one in a chain (this parameter is only displayed for certificates in a CA Bundle.);
  • Subject Common Name: common name of the certificate that is being checked;
  • Subject Organization: organization name of the certificate that is being checked;
  • Issuer Common Name: common name of the certificate that directly certifies this one;
  • Issuer Organization: organization name of the certificate that directly certifies this one;
  • Not Before: the first day certificate was issued;
  • Not After: the last day of the certificate lifespan/the expiration date;
  • Signature Algorithm: checks the type of signature algorithm used in the certificate (e.g. sha256WithRSAEncryption, sha384WithRSAEncryption);
  • Serial Number: the unique number of the certificate in the CA database;
  • SHA1 Fingerprint: used to authenticate the public key;
  • MD5 Fingerprint: a message digest by the cryptographic hash function used for different authentication purposes (e.g. check if the Private key matches the certificate).


OpenSSL Handshake

This section contains the output of an OpenSSL command that directly checks the server's SSL configuration, including the full chain, certificate information, SSL/TLS handshake, TLS protocols defined, cipher suites enabled and so on:

openssl s_client -showcerts -connect example.com:443 -servername example.com

Generally, it is the main source of the information used for the "Report", "General Information", "Chain Information" sections.


SSL & CSR Decoder

This tool helps decode the SSL certificate or CSR code and analyzes it to detect issues. When everything is correct, the following message will appear:

Once you paste the CSR/certificate and click the "Decode" button, a unique link for sharing it will appear.

Note that the result will differ depending on whether the CSR or the certificate code was pasted.


General Information

This section describes general information about the generated CSR code, such as:

  • Common Name;
  • Organization;
  • Locality;
  • State;
  • Country;
  • SANs;
  • Key Type;
  • Key Size;
  • Debian Weak Key: checks whether the generated Private key contains weak hash functions;
  • CSR Size;
  • Signature Verification;
  • Signature Algorithm;
  • SHA1 Modulus Hash;
  • HTTP Validation File: file for Sectigo HTTP-based validation.

Here you can download the validation file and upload it to the server right away to validate the certificate. However, this validation file won't have a unique value (unique values are randomly generated by CAs after the certificate is activated) included, so it will be necessary to update this information manually. You might need to contact our SSL Support for assistance.

  • HTTP Validation Link: direct link to the validation file;
  • DNS DCV Alias: the "Host" value of the CNAME record for DNS-based DCV;
  • DNS DCV CNAME: the "Target" value of the CNAME record for DNS-based DCV without unique value included.

Additional sections that are included when the report is for an SSL certificate:

  • Revocation Status: good/not good;
  • Expired: yes/no;
  • Not Before: "Date, year hh:mm:ss GMT" format – the Sectigo admin issuance date (if the certificate was issued by Sectigo);
  • Not After: "Date, year hh:mm:ss GMT" format – the expiration date of the certificate;
  • Trusted?: the system was able/unable to find the issuer;
  • Certificate Path: shows certificates listed in the certificate chain by their "Common Name" values;
  • Bundle (Nginx): by clicking the floppy disc icon on the right, the combined certificate with the CA bundle file (.crt + .ca-bundle) can be downloaded. It is useful for Nginx users who are facing issues with combining the files manually;
  • Bundle (Apache): the default CA bundle file with one intermediate and one root certificate included.


Subject Information

  • Common Name;
  • Locality;
  • Organization;
  • State;
  • Country.


x509v3 Extensions, Raw OpenSSL Data, OpenSSL ASN1parse

This section describes what x509v3 extensions are in use. These kinds of extensions mostly fall into advanced SSL peculiarities and are usually only interesting to the tech-savvy. More information can be found in this official document.

Documentation about the peculiarities of the OpenSSL ASN1parse feature can be found here.

The "Raw OpenSSL Data" tab shows the result of OpenSSL checks without the certificate chain included.


CSR Generator

If you can’t generate a CSR code on your server or you’re facing difficulties with certain custom settings, an online CSR generator tool is a lifesaver. We have added one in the decoder.link tool:

Default restrictions for fields apply: do not use any of the following characters during the CSR generation: < > ~ ! @ # $ % ^ * / \ ( ) ? & ,

  • Domain certificate to be issued for: a fully-qualified domain name (for example, example.com);
  • Locality: your full city name (New York, Los Angeles, etc.);
  • State: your state or province (enter "NA" if you do not have one);
  • Organization: the company you are issuing the certificate for (enter "NA" if you do not have one);
  • Organization Unit: the department of the company you are issuing the certificate for (you may leave it empty);
  • Email: you may leave it empty;
  • Country: the 2-letter ISO code of your country (can be checked here).

If you tick the "Show advanced settings" checkbox, you can change such settings as:

  • Supply SANs
  • Change the key algorithm (RSA/ECDSA) and bit length (2048/4096 bits)
  • Change the Private key encryption algorithm
  • Enable x509v3 extensions, such as basic constraints and OCSP Must-Staple
  • Key usage parameters and extended features

Note: Nothing should be changed in advanced settings if you want to issue a regular certificate. Only use this if you are an advanced user and want to enable additional secure options on your server and want to set custom parameters for CSR generation.

Once you click the "Generate" button, a new window will pop up:

The "Collect Generated Data" window contains a warning about the importance of saving a Private key file and three codes:

  • CSR;
  • Private Key;
  • Certificate - self-signed certificate, cannot be used for the installation.

Make sure to save the CSR code and Private key before you click the "I have copied the Private key, close this window" button to close the window.


SSL Converter

The converter tool (https://decoder.link/converter) was designed to convert general certificate formats to other formats. Here is a list of file formats for reference:

  • PKCSX (PEM) - a file with a .crt or .key extension containing an SSL certificate or Private key. Usually required for Apache-based servers, Nginx, and control panels.
  • PKCS7 (P7B) - a file with a .cer or .p7b extension containing an SSL certificate combined with a CA Bundle. This format is required for IIS servers.
  • PKCS12 (PFX) - a file with a .pfx or .p12 extension containing a certificate combined with CA Bundle and Private key files. This format is used on IIS and Java-based servers.

Different server types require different certificate file formats. The certificates we provide are issued in an x.509 format, a version of the ASN.1 file encoding standard. This certificate can be downloaded from your account in the PEM format with a .crt extension and CA bundle or in the PKCS#7 format with a .p7b extension. It will download in an archive file which you should unzip. It contains three files: a certificate (.crt), a CA bundle (.ca-bundle), and the certificate in PKCS#7 file format (.p7b).

The following tool options will help convert the certificates to the needed format:

  • PEM to PKCS#12

    Choose the "PEM TO PKCS#12" option and upload these files:

    • Add the .crt (.pem) file to the "Certificate File" field;
    • Add the .key (.txt) file to the "Key File" field, including the following tags in the file: -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY-----. The location of this file depends on how you generated your CSR code. Find more information here;
    • Add the .ca-bundle file to the "Bundle File" field. This file may contain several certificate codes. Ensure to include them all and the tags -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- for each certificate code.

    Make sure to set a password for the PFX file. You will be prompted to type your password when importing the certificate to the server. So, make sure to save the password somewhere until then.

    When you’ve uploaded all the files, click the "Convert" button to finish the process and press the "Download" button to download the converted certificate.

    If you uploaded incorrect certificate or Private key, when you try to open the .zip archive that contains the PFX file, you will encounter the following error:

    If this happens, you should check that:

    • The private key matches the certificate: https://decoder.link/matcher;
    • The proper headers are included in the files. For the certificate:

      -----BEGIN CERTIFICATE----- & -----END CERTIFICATE-----

      For the private key:

      -----BEGIN RSA PRIVATE KEY----- & -----END RSA PRIVATE KEY-----

    • The private key formatting is correct. Check this here: https://decoder.link/rsa_converter.
  • PEM to PKCS#7

    Add the following files to the corresponding boxes:

    • .crt (.pem) file in the "Certificate File" field;
    • .ca-bundle file in the "Bundle File" field; this file may contain several certificate codes, - ensure to include them all and the tags -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- for each certificate code;
    • Finally, press the "Convert" button and download the .zip archive. Inside this archive, you will see the .p7b file.

    Note: If you provided the incorrect files, the .zip archive will open with a warning message about invalid content. It will not be possible to view the content of the .zip archive. However, this will only happen if you accidentally upload completely irrelevant files, like a Private key. At the same time, if you uploaded the wrong files but in an accepted format, such as no matching CA bundle/certificate, the .zip archive will open without error. So, be sure to use the correct corresponding files.

  • PKCS#12 to PEM

    The opposite of the "PEM to PKCS#12" option, this tool Converts .pfx files into .crt, .ca-bundle and .key files.

    To convert a PFX file into separate files, upload it to the "PKCS#12 File (*.pfx, *.p12)" field.

    Then, type in the password in the "Password" field.

    To complete the process, press the "Convert" button and download the generated files.

    Note: If the incorrect password is used, the file will still be generated and downloadable, but it will be invalid. The .zip archive will not open after being downloaded.

  • PKCS#7 to PEM

    Upload the .p7b/.cer file with the certificate to the "PKCS#7 File (*.cer, *.p7b, *.p7s)" field and press the "Convert" button.

  • PKCS#7 to PKCS#12

    Upload the following files:

    • The .p7b file to the "PKCS#7 File (*.cer, *.p7b, *.p7s)" field;
    • The .key (.txt) file to the "Key File" field, making sure it includes the following tags: -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY-----. The location of this file depends on how the CSR code was generated. Find more information here.

    Type in the password and press the "Convert" button to finish the process.


OCSP Checker

A tool for checking the revocation status of SSL certificates. This tool can check SSLs purchased from Namecheap and third-party ones.

Paste the certificate in PEM format to the box and press "Check". If your revocation status is good, you will receive a result similar to the image below:

If an invalid certificate (like a self-signed one) is submitted for an OCSP check, the result will be:


Key Matcher

A tool designed to verify whether a certificate and Private key/CSR match: https://decoder.link/matcher.

A successful result will show one of the following messages: "Private key matches the certificate." or "CSR matches the certificate."

Even if the certificate/CSR/Private key is pasted without its corresponding headers, the tool will accept it with no issue.

An unsuccessful result will show the message: "Private key doesn't match the certificate." or "CSR doesn't match the certificate."


CA Matcher

The " CA Matcher" tool is used to check if the CA certificate directly verifies the end-entity one. In other words, it shows whether your installed CA Bundle matches the end-entity certificate on the server. You can use this checker to ensure that you are using the correct CA Bundle for your SSL installation.

Note: The whole CA chain cannot be pasted into the "CA Certificate" field, as the tool can parse only one certificate from the chain.

Due to peculiarities of how certificate chains work (see below), only an intermediate certificate will be considered a match for the end-entity certificate because it directly signs it.

Thus, the first certificate from the provided chain file should be checked.

This means that if you paste either the "USERTrust RSA Certification Authority" or "AAA Certificate Services" root certificates into the "CA Certificate" field, the following error will appear:

Therefore, only an intermediate certificate should be pasted in the "CA Certificate" field. This differs depending on the SSL type:

  • DV RSA: Sectigo RSA Domain Validation Secure Server CA;
  • OV RSA: Sectigo RSA Organization Validation Secure Server CA;
  • EV RSA: Sectigo RSA Extended Validation Secure Server CA;
  • DV ECC: Sectigo ECC Domain Validation Secure Server CA;
  • OV ECC: Sectigo ECC Organization Validation Secure Server CA;
  • EV ECC: Sectigo ECC Extended Validation Secure Server CA.

Here you can download the needed intermediate certificate or the corresponding CA Bundle.

Once you paste a correct end-entity certificate in the "End-entity certificate" field and the correct intermediate certificate into the "CA Certificate" field, press the "Match" button. If the check was successful, the message: "CA Certificate matches the end-entity certificate." will pop up.


CT Log Tool

A tool for checking Certificate Transparency logs: https://decoder.link/certificate_transparency.

Paste the PEM certificate into the "Certificate" field and press the "Check" button. Afterward, the result will appear at the bottom of the page in the "CT Information (info source: crt.sh)" section.


OpenSSL -trace

A tool for observing a detailed SSL/TLS handshake using OpenSSL enable-ssl-trace (trace output of protocol messages): https://decoder.link/trace

Write your domain name, set the desired port number, and press the "Check" button.


RSA Keys Converter

You may experience a situation where you generate a Private key in an incorrect format that your server doesn’t accept. In such an instance, the server may not recognize the Private key and state that it does not match the certificate. If this happens, you’ll need to fix the key’s formatting using this tool: https://decoder.link/rsa_converter.

Simply paste the Private key, including headers, into the box, and press the "Convert" button.


PKCS#1 vs PKCS#8 Private key formats

The only difference between these formats is that the PKCS#8 format is the key object from PKCS#1 but without the version or algorithm identifier in front. "BEGIN RSA PRIVATE KEY" is PKCS#1 and indicates that the key type is also included in the key data.

Note: Some servers may not accept #PKCS1 format (mostly Java-based servers).


PKCS#1:

-----BEGIN RSA PRIVATE KEY-----

BASE64 ENCODED DATA

-----END R

-----BEGIN PRIVATE KEY-----

BASE64 ENCODED DATA

-----END PRIVATE KEY-----

PKCS#8 is the more popular format, but generally, both formats are accepted, and it’s rare that a server won’t accept PKCS#1. However, if you ever experience a server not accepting a matching certificate and Private key, try to change your private key format using the key converter tool.


Bulk SSL Checker

This tool can check multiple domain names simultaneously: https://decoder.link/bulk.

The result will show a short description of the SSL connections for the domains/subdomains listed in the field box. If an SSL certificate is installed correctly, you will see a green checkmark next to the domain and the message, "All is good".

If you click the arrow icon on the right, you will be redirected to a https://decoder.link/sslchecker/ tool with a full SSL report in another browser window.


Alt DCV Checker

This tool checks HTTP, HTTPS, and DNS validation information and its completion status.

Although there are three fields, it is enough just to paste the CSR code and the unique validation value you can get from the Sectigo InstantSSL admin panel:

After you specify CSR and the unique value, press the "Check" button.

If the validation is successful, you will receive the message: "Congratulations! Your request passes at least one alternative validation check."

If validation hasn’t passed, you’ll see the message: "None of the alternative domain control validation checks passed."

Scroll down to see 3 detailed reports about each validation check:

  • HTTP ALT DCV INFO – checks the validation file presence via the HTTP protocol and shows detailed results (page content, status code, content type);
  • HTTPS ALT DCV INFO – checks the validation file presence via the HTTPS protocol;
  • DNS ALT DCV INFO – checks the validation CNAME record presence using dig commands; also checks if there is a CNAME record with a duplicated domain name (which might be handy).

You can then fix the validation file or record accordingly based on your results.

That’s it! If you have any questions or require assistance with the Decoder.link tool, please leave a comment below or contact our SSL Support.

Updated
Viewed
12135 times

Need help? We're always here for you.

notmyip