Verify a certificate
ted at convey.de
Tue Jan 5 13:11:42 UTC 2021
just in case you want to check a webserver installation (which is not
explicitly mentioned in Viktor's answer) I want to add this...
In this case (IMHO) the s_client tool of openssl can do what you need. Try
openssl s_client -connect yourhost.example.org:443 -CAfile
where "SpecialCAFile.pem" only contains the root certificate of your
"Root X" CA. This gives quite a bit of text as output. Look for a line
"Verification: OK" in this output (usually after the PEM-encoded server
certificate), if you can find it the certificate chain should be OK.
Otherwise you'll find something like "Verification error: unable to get
local issuer certificate"
Hope this helps,
On 2021-01-05 13:43, Yassine Chaouche wrote:
> Dear list,
> I would like to learn how to use openssl tools to make sure
> a chained certificate is valid ?
> example :
> Let's say I got the Cert certificate signed by Intermdiate
> X, but by making the full chain certificate I inadvertly
> inserted Intermediate Y instead of X. The (broken)
> certificate chain inside Cert would be :
> Cert < Intermediate Y < Root X
> How do I detect this error with openssl tools ? are there
> tools that print issuer and subject of each certificate in
> a chain ?
> Thanks for your guidance.
More information about the openssl-users