Verify a certificate

Viktor Dukhovni openssl-users at
Tue Jan 5 12:52:20 UTC 2021

On Tue, Jan 05, 2021 at 01:43:12PM +0100, Yassine Chaouche wrote:

> How do I detect this error with openssl tools ? are there
> tools that print issuer and subject of each certificate in
> a chain ?

If, by chain, you mean a PEM file with one or more X509 certificates,
then yes.  Suppose the file is "certs.pem":

    $ openssl crl2pkcs7 -nocrl -certfile certs.pem |
        openssl pkcs7 -print_certs -noout -subject -issuer

If you want to instead verify the chain, against some root CA in some
file (perhaps the very same file, just use certs.pem instead of

    $ openssl verify -untrusted certs.pem -trusted roots.pem certs.pem

You can also check for the expected hostname with

    $ openssl verify -untrusted certs.pem -trusted roots.pem \
        -verify_hostname certs.pem


More information about the openssl-users mailing list