Verify a certificate

Bernhard Fröhlich ted at
Tue Jan 5 13:11:42 UTC 2021


just in case you want to check a webserver installation (which is not 
explicitly mentioned in Viktor's answer) I want to add this...

In this case (IMHO) the s_client tool of openssl can do what you need. Try

     openssl s_client -connect -CAfile 

where "SpecialCAFile.pem" only contains the root certificate of your 
"Root X" CA. This gives quite a bit of text as output. Look for a line 
"Verification: OK" in this output (usually after the PEM-encoded server 
certificate), if you can find it the certificate chain should be OK. 
Otherwise you'll find something like "Verification error: unable to get 
local issuer certificate"

Hope this helps,

On 2021-01-05 13:43, Yassine Chaouche wrote:
> Dear list,
> I would like to learn how to use openssl tools to make sure
> a chained certificate is valid ?
> example :
> Let's say I got the Cert certificate signed by Intermdiate
> X, but by making the full chain certificate I inadvertly
> inserted Intermediate Y instead of X. The (broken)
> certificate chain inside Cert would be :
> Cert < Intermediate Y < Root X
> How do I detect this error with openssl tools ? are there
> tools that print issuer and subject of each certificate in
> a chain ?
> Thanks for your guidance.

More information about the openssl-users mailing list