The Mozilla website provides NSS Security Tools that are helpful for debugging and troubleshooting SSL problems. You can obtain the source-code of these tools from http://www.mozilla.org/projects/security/pki/nss/tools. This toolbox contains two tools, certutil and ssltap.
The certutil tool can be used to display all certificates stored in a certificate database and to display a single certificate in detail. Because it is possible to change or delete data in the certificates database when using this program, we recommend running the certutil tool on a copy of the original certificates database.
To use the certutil tool, you need to provide a password. However, the dsadm create command generates a default certificate database password that can not be retrieved. To use the certutil tool, change the certificate database password using the dsadm set-flags instance-path cert-pwd-prompt=on command.
The ssltap tool can capture the SSL communications between two systems. You must place the ssltap program between the connection from a Directory Server and an LDAP client. The program behaves like a Directory Server when it communicates with the LDAP client and behaves like the LDAP client when communicating with the Directory Server.