The signature algorithm can be displayed with Ikeyman, or in numeric form with gsk7capicmd/gskcapicmd:
gsk7capicmd/gskcapicmd -cert -details -db key.kdb -pw XXX -label YYY
Solution: You'll likely need to obtain a new certificate if you expect these older clients in practice.
Solution: Remove the expired cached copy of the intermediate certificate from the browser's SSL configuration.
If a subset of the user's client certificates can be validated by the servers list of certificate authorities, the browser will display that partial list of certificates to the user.
Solution: The issuer of the client certificates must be added as a trusted Certificate Authority in the servers KeyFile.
LogLevel
to Debug
and
SSLTrace
at the bottom of httpd.conf.Possible tools include tcpdump, wireshark, iptrace. See http://www-01.ibm.com/support/docview.wss?uid=swg21175744 for more info.