Skip to main content

Certificate Basics (KBA10543)







This article, and its companion articles, describe how to investigate the contents of certificates in PEM, JKS, PKCS#12 and PFX files, as well as certificates bound to a listening TLS enabled port. The information in this article is not specific to Delphix and broadly applies to all application scenarios where x509 certificates are used for SSL/TLS. Examples covering both Unix and Windows commands are provided. The focus for investigation methods is using command line tools.

This article does not address specific certificate error messages as seen in the Delphix appliance. Instead it provides useful information to understand the most common types of errors that you may encounter in many applications related to certificates.



This is a simplified reference and not a comprehensive explainer document for x509 certificates and TLS/SSL. Many details have been omitted for simplicity.


Applicable Delphix Versions

Click here to view the versions of the Delphix engine to which this article applies
Date Release
Nov 21, 2023
Oct 18, 2023
Sep 21, 2023
Aug 24, 2023
Jul 24, 2023
Jun 21, 2023
May 25, 2023
Apr 13, 2023 |
Mar 13, 2023 | Mar 20, 2023 |
Feb 13, 2023
Jan 12, 2023
Releases Prior to 2023
Major Release All Sub Releases





What Is a Valid Certificate?

When importing a certificate or after import, errors may be reported when accessing an application over a secure connection with TLS (such as an HTTPS enabled web page). These errors broadly fall into two categories:

  • Errors with the actual certificate on the server.
  • Errors with the client configuration accessing the server.

When diagnosing problems, it helps to understand what constitutes a valid certificate as seen from the server and also the client. Below is a simplified description of the most common components in a certificate that both the server and the client expect to be valid.

Distinguished Name (DN)

AKA: Issued to, Subject
Description: Is a name in x.500 format that is unique to the certificate. The DN may contain multiple fields. By convention, the most significant field is the Common Name (CN) which is the hostname used by the client to access the server. This should match the hostname a client will use in the address exactly. For example, if the client accesses, then the CN must be Neither myhost or are correct matches.
Valid: The CN matches the hostname or FQDN exactly as shown in the address bar URL of the web browser.
Invalid: The CN does not match the address URL.
Scope: Client

NOTE: The validity checks for the DN are generally superseded on modern web browsers by the Subject Alternative Names validation check.

Subject Alternative Name (SAN)

AKA: -
Description: This is a repeating field in a certificate and, when used for HTTPS, most modern web browsers will expect the hostname or FQDN in the address URL to exactly match one of the SANs.
Valid: The address URL is an exact match for one of the SANs.
Invalid: None of the SAN entries match the address URL. 
Scope: Client


AKA: Friendly Name
Description: For keystore files only (JKS, PKCS#12, and PFX) this is a label attached to certificate so that an importing application can identify the correct certification from a file containing more than one.
Valid: The end-entity (HTTPS or DSP) certificate in the file has an alias.
Invalid: No alias is given to the end-entity certificate. 
Scope: Server

Validity period

AKA: Start time, Not before, Valid from, End time, Not after, Valid until
Description: These are timestamps that indicate two points in time between which the certificate is usable. Before the earliest timestamp, the certificate is not yet valid. After the latest timestamp, the certificate is expired.
Valid: The current real time is between the two timestamps.
Invalid: The current real time is outside of the time period of the timestamps. 
Scope: Server & Client

Certificate Chain

AKA: Issuer, Issued by
Description: Every certificate is issued by another certificate (Certificate Authority or CA certificate) until a special certificate that is issued by itself (a self-signed certificate where the Issued to and Issued by fields are identical) called the "root" CA certificate. A certificate chain must include all certificates down to the root certificate. Because a root certificate could also be an end-entity certificate, a chain could be just one single certificate. Usually, a chain will be one root CA certificate, one or more intermediate CA certificates, and the end entity certificate.
Valid: An unbroken chain of certificates linking the Issued by field of the end entity certificate all the way back to the root CA certificate.
Invalid: One or more certificates missing resulting in a broken chain. 
Scope: Server

Trusted Certificate

AKA: -
Description: A certificate is trusted if it or the issuing intermediate CA and root CA certificates exist in the client's truststore. Operating systems like Microsoft Windows and Apple OSX come preloaded with CA certificates from the most trusted global Certificate Authorities. But operating systems will not have lesser known or corporate CA certificates installed unless you explicitly install them. For example, when a website's HTTPS certificate's issuing CA certificate is not in the operating system's truststore, a web browser will report that the page is not secure or the site is not trusted.
Valid: The CA certificates exist in the operating system's truststore.
Invalid: The CA certificates do not exist in the operating system's truststore. 
Scope: Client

Key Length

AKA: Server key length, Private key length, Public key length
Description: The number of bits used in the cryptographic public and private key pair. A client application may require a minimum length to consider a certificate as meeting minimum security requirements.
Valid: The key length is equal to or longer than the minimum required by the application.
Invalid: The key length is shorter than the minimum required by the application. 
Scope: Client & Server

The majority of certificate related errors are going to be based on the invalid state of one or more of the above characteristics. 


Related Articles

The following articles may provide more information or related information to this article: