Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.

This KB guide focuses on using OpenSSL and to validate SSL/TLS certificates, ensuring they are configured correctly, include a complete certificate chain, and are trusted. It covers testing certificates both locally and on HAProxy servers.

Table of Contents


The tool is a powerful script for testing SSL/TLS configurations, including those on HAProxy. This guide provides instructions for testing SSL certificates on HAProxy, ensuring they are valid, correctly configured, and include a complete certificate chain.


1. Install OpenSSL:

  1. Ensure OpenSSL is installed on your system. Most Linux distributions include it by default:

    Code Block
    openssl version

2. Install

  1. Clone the repository from GitHub

    Code Block
    git clone --depth 1

    Make the script executable

    Code Block
    chmod +x
  2. HAProxy Configuration (if applicable):

    • Confirm HAProxy is running

    and configured to handle
    • with SSL/TLS

    • enabled.

    • Check that the front-end and back-end configurations are correct.

    • HAProxy must expose the SSL/TLS Verify the SSL port (default is : 443) is exposed for testing.


Validating a PEM Certificate



1. Check PEM File Syntax

Run the following command to ensure the PEM file contains valid certificatesUse OpenSSL to verify certificate file’s syntax:

Code Block
openssl x509 -in <certificate_file>.pem -noout -text


  • Verifies the certificate’s syntax.

  • Displays details such s issuer, subject, validity period, and extensions.

If the PEM file contains To check the entire certificate chain (server + intermediate certificates), use:


This breaks down and lists all certificates in the chain.


2. Verify Certificate Matches Private Key

Ensure the certificate and private key correspond:

Code Block
openssl x509 -noout -modulus -in <certificate_file>.pem | openssl md5
openssl rsa -noout -modulus -in <private_key>.key | openssl md5

The outputs must match, the certificate and key are correctly paired.

3. Check Certificate Expiry Date

Confirm the certificate is within its validity period:

Code Block
openssl x509 -in <certificate_file>.pem -noout -dates

This displays the notBefore and notAfter dates.

4. Verify Intermediate Certificate is Trusted

Use the following command to confirm that the intermediate certificate is signed by a trusted root:

Code Block
openssl verify -CAfile <root_ca.pem> <certificate_file>.pem

Test with OpenSSL Local Server

You can test a PEM certificate directly by hosting it temporarily with a test server like openssl:.

1. Start a Local Test Server


Use openssl OpenSSL to serve the PEM certificate on a local port:


  • Replace <certificate_file>.pem with your PEM file.

  • Replace <private_key>.key with the corresponding private key.

2. Run Against the Local Test Server

With the test server running (openssl), validate the certificate using


  • Certificate validity.

  • Complete certificate chain.

  • Expiration and trustworthiness.

3. Validate Certificate Chain

Ensue the PEM file contains:

  • The server certificate.

  • Intermediate certificates (in proper order).

Concatenate the certificates if necessary:

Code Block
cat server.crt intermediate.crt > fullchain.pem

Use to validate the chain:

Code Block
./ --certs

Look for issues like “Incomplete chain” or “Missing intermediate certificates.

4. Additional Tests

Check Certificate Expiration

Code Block
openssl x509 -in <certificate_file>.pem -noout -dates

This outputs the notBefore and notAfter dates.

Verify Certificate Matches the Private Key

Code Block
openssl x509 -noout -modulus -in <certificate_file>.pem | openssl md5
openssl rsa -noout -modulus -in <private_key>.key | openssl md5

The output of both commands should match.

Verify Intermediate Certificate is Trusted

Use the following command to confirm that the intermediate certificate is signed by a trusted root:

Code Block
openssl verify -CAfile <root_ca.pem> <certificate_file>.pem

Testing SSL Certificates on HAProxy

Using for HAProxy SSL/TLS Validation

1. Basic SSL/TLS Validation


Check the HAProxy SSL/TLS configuration



Code Block
./ https://<haproxy_domain_or_IP>:<port>

This checks:

  • Protocol supportSupported protocols.

  • Cipher availabilityAvailable ciphers.

  • Certificate properties.

2. Certificate Chain Validation:

To validate Ensure the Certificate chain on HAProxycomplete certificate chain is present:

Code Block
./ --certs https://<haproxy_domain_or_IP>




Certificate Validate: Ensure the certificate is active and not expired.


This identifies:

  • Missing intermediate certificates.

  • Trust : Confirm that issues in the certificate chain leads to a trusted root CA.

3. Testing Specific Front-ends

If HAProxy has multiple front-ends with SSL configured on different ports, specify the port:

Code Block
./ https://<haproxy_domain_or_IP>:<port>

For exampleExample:

Code Block

HAProxy-Specific Considerations


Common Issues and Solutions

1. Incomplete Certificate Chain


HAProxy must be configured to provide the full certificate chain. Ensure the PEM file includes:


Update your HAProxy configuration to use the fullchain.pem:

Code Block
frontend www-https_frontend
    bind *:443 ssl crt-list /etc/haproxy/ssl/fullchain.pem
    reqadd X-Forwarded-Proto:\ https
    reqadd X-Forwarded-Port:\ 443
    default_backend app_backend

Restart HAProxy After configuration Changes

After updating certificates, restart HPAroxy to apply the changes:

Code Block
systemctl restart haproxy

2. Untrusted Certificate

  • Verify the root CA is trusted on client systems.

  • Cross-check using online tools like SSL Labs.

3. Incorrect Certificate Deployment

Verify the PEM file and private key:

Code Block
openssl x509 -in /etc/haproxy/fullchain.pem -text -noout
openssl rsa -in /etc/haproxy/server.key -check

4. SSL Configuration Errors

Validate HAProxy configuration:

Code Block
haproxy -c -f /etc/haproxy/haproxy.cfg

Ensure the bind directive specifics correct SSL/TLS options.

Advanced Testing with


1. Check for Expiring Certificates

Run the following to get alerts about Certificates nearing expiration:

Code Block
./ --certs --warnings https://<haproxy_domain_or_IP>

2. Analyze Protocol and Cipher Support

HAProxy often uses a specific SSL/TLS configuration. Test supported protocols and ciphers:

Code Block
./ --protocols https://<haproxy_domain_or_IP>
./ --ciphers https://<haproxy_domain_or_IP>

3. Generate Reports for Documentation

Export results for documentation or reporting:

Code Block
./ --jsonfile haproxy_test.json https://<haproxy_domain_or_IP>
./ --htmlfile haproxy_test.html https://<haproxy_domain_or_IP>

Troubleshooting HAProxy SSL Issues

Incomplete Certificate Chain

  • Ensure intermediate certificates are included in the PEM file.

  • Use --certs to identify missing certificates.

Certificate Not Trusted

  • Verify the root CA is trusted on client systems.

  • Use online tools like SSL Labs to cross-check.

SSL Configuration Errors

Check the HAProxy configuration file for syntax issues:


Ensure bind directives correctly specify SSL options.

Incorrect Certificate Deployment

Verify the certificate file and key are correct:

Code Block
openssl x509 -in /etc/haproxy/fullchain.pem -text -noout
openssl rsa -in /etc/haproxy/server.key -check

Example: Validating HAProxy SSL Certificate

Code Block
./ --certs


  • Certificate is valid: Yes

  • Chain issues: None

  • Expiration: Valid until YYYY-MM-DD

  • Protocols and ciphers: Secure configurations


By following this guidethese instructions, you can ensure that your HAProxy effectively validate SSL/TLS setup is secure, the certificate is valid, and the chain is complete. Regular checks with help maintain a robust SSL/TLS configurationcertificates using OpenSSL and These tools help ensure certificates are valid, chains are complete, and configurations are secure. Regular testing maintains a strong SSL/TLS posture for services like HAProxy.