How To Verify Certificate Chain with OpenSSL?
  • Post category:Programming
  • Post comments:0 Comments
  • Post author:
  • Post published:14/04/2021
  • Post last modified:14/04/2021

X509 certificates provides the authenticity of provided certificates in a chained manner. Internet world generally uses certificate chains to create and use some flexibility for trust. But this may create some complexity for the system, network administrators and security guys. In this tutorial we will look how to verify a certificate chain.

X509 Certificate

X509 certificates are very popular on the internet. They are used to verify trust between entities. Certificates Authorities generally chains X509 Certificates together. X509 Certificate provides information like , URL, Organization, Signature etc.

Verify Certificate Chain

Say we have 3 certicate chain. We want to verify them orderly. We can use -partial_chain option. with the following steps.

  • c1 is the leaf certificate
  • c2 is middle certificate
  • c3 is the root certificate

Verify c1

We will verify c1 by using c2 certificate

$ openssl verify -CApath /dev/null -partial_chain -trusted c2 c1

Verify c2

We will verify c2 using c3 certificate

$ openssl verify -CApath /dev/null -partial_chain -trusted c3 c2

Verify c3

We will verify c3 using Google.pem certificate.In this step we do not need -partial_chain because Google.pem is self signed certificate which means root certificate.

$ openssl verify -CApath /dev/null  -trusted /etc/ssl/certs/Google.pem c3

LEARN MORE  How To Create Self Signed Root Certificate with OpenSSL

Leave a Reply