openssl verify doesn't expect certificate file to contain its chain. Chain needs to be passed with -untrusted argument. It works with the same file, trust is still determined by finding a trusted root in -CAfile .
Verify certificate chain with OpenSSL. Published by Tobias Hofmann on February 18, 2016 February 18, 2016. Download PDF version. 6 min read. A good TLS setup includes providing a complete certificate chain to your clients. This means that your web server is sending out all certificates needed to validate its certificate, except the root Get your certificate chain right. As many know Aug 17, 2018 Checking A Remote Certificate Chain With OpenSSL The certificate chain consists of two certificates. At level 0 there is the server certificate with some parsed information. s: is the subject line of the certificate and i: contains information about the issuing CA. This particular server (www.woot.com) has sent an intermediate certificate as well. How To Verify Certificate Chain with OpenSSL? – POFTUT
Jan 10, 2018
The certificate chain consists of two certificates. At level 0 there is the server certificate with some parsed information. s: is the subject line of the certificate and i: contains information about the issuing CA. This particular server (www.woot.com) has sent an intermediate certificate as well. openssl verify doesn't expect certificate file to contain its chain. Chain needs to be passed with -untrusted argument. It works with the same file, trust is still determined by finding a trusted root in -CAfile .
The third operation is to check the trust settings on the root CA. The root CA should be trusted for the supplied purpose. For compatibility with previous versions of SSLeay and OpenSSL a certificate with no trust settings is considered to be valid for all purposes. The final operation is to check the validity of the certificate chain.
Verify Certificate Chain. Say we have 3 certicate chain. We want to verify them orderly. We can use -partial_chain option. with the following steps. c1 is the leaf certificate; c2 is middle certificate; c3 is the root certificate; Verify c1. We will verify c1 by using c2 certificate $ openssl verify -CApath /dev/null -partial_chain -trusted c2 How to view certificate chain using openssl - Server Fault From commandline, openssl verify will if possible build (and validate) a chain from the/each leaf cert you give it, plus intermediate(s) from -untrusted (which can be repeated), and possibly more intermediate(s) to a root (or anchor) in -trusted or-CAfile and/or -CApath or the default truststore, which is usually determined by your system or How can I verify SSL certificates on the command line openssl verify cert.pem If your "ca-bundle" is a file containing additional intermediate certificates in PEM format: openssl verify -untrusted ca-bundle cert.pem If your openssl isn't set up to automatically use an installed set of root certificates (e.g. in /etc/ssl/certs), then you can use -CApath or …