Common Errors And PKI Certificate Troubleshooting

With any type of system using Public Key Infrastructure from securely encrypting and digitally signing email to securing a website for customers sending personal and financial information, avoiding any glitches or error messages for users is critical for the IT team.

This is also true if you are doing an SSL/TLS (Secure Sockets Layer/Transport Layer Security) product installation for the first time. At Comodo, we know and understand how frustrating trying to track down the problem may be. With our over a decade in the business of being a Trust Provider, we have developed a comprehensive PKI certificate troubleshooting guide for anyone to use.

To help prevent any problems in the first place and limit the need to use the PKI certificate troubleshooting, we recommend following the step-by-step tutorials and guides set out in our knowledgebase. Just search for the specific server, device, browser or email client you are using and the error or issue you are experiencing.

It is also a great idea to send a message through the Comodo forums. Here you will find other Comodo users, most of them IT professionals, able to provide help, insight and general information. Of course, you are also free to contact our support team at any time. We try to answer all tickets in an hour and we will get to everyone within a day, with our support and technical team able to diagnose and address issues quickly and effectively.

Common SSL/TLS Issues for Domains

One of the biggest problems that occur for those new to the world of SSL/TLS products is the specificity that is required when completing the Certificate Signing Request (CSR).

If the line requesting the Common Name of the website is not the accurate Fully Qualified Domain Name, then there will be a security warning. At the heart of this type of PKI certificate troubleshooting is usually what is known as a name mismatch.

The name listed on the certificate as the Fully Qualified Domain Name or Common Name is either entered incorrectly or is a Subject Alternative Name to the URL being used but the certificate either doesn't support Subject Alternative Names or that particular Subject Alternative Name was not listed on a Multi-Domain or UC certificate. A good example of this would be typing in if the Fully Qualified Domain Name on the cert was listed as without the "www" subdomain component.

In general, most of the new certs offered by the big Certificate Authorities (CAs) will automatically cover both the www and the version of the URL without the www, but older certs may not.

Wildcard SSL products can also cause problems with different subdomain levels. For example, if you used the wildcard (*) symbol for the subdomain level as in *.mycompany. com that would cover, or If you went to a second level subdomain such as that second-level subdomain would not be secure and a warning would show. Remember, only the specific "wildcard" subdomain level will be included in the coverage for the cert.

In some situations, a mistake or error in the intermediate certificate installation may also occur. This can often occur as some of the pathways are complex with multiple intermediate certs. This can be corrected by reinstalling the certificate bundle in the correct order.

Email Troubleshooting

The most common issue with Personal Authentication, Email or Client certificates is problems with login in from a new or different device.

It is important to realize that Comodo uses a two factor authentication system which requires that the user logs into the device, browser or email client using the password and ID on file. Then, the certificate will have to be present or the user will have the login fail.

With our Enterprise system, this fail will trigger a message to the user that allows a one-time passcode to be provided for use. For both personal and business use it is possible to export the certificate and import it to another email client if required, you will need to make sure to also move the private key.

Issues with incorrect passwords or user IDs, trying to use an Android device that doesn't support S/MIME (Secure Multipurpose Mail Extensions) or Email certs or other factors can also be at the heart of the problem.

If you need help with PKI certificate troubleshooting, our technical team is here to help. For questions about getting the right product don't hesitate to contact our sales team at +1 888 266 6361 or online at

Related Articles
Back to TOP