X509 certificates provides the authenticity of provided certificates in a chained manner. Internet world generally uses certificate chains to create and use some flexibility for trust. But this may create some complexity for the system, network administrators and security guys. In this tutorial we will look how to verify a certificate chain.
X509 Certificate
X509 certificates are very popular on the internet. They are used to verify trust between entities. Certificates Authorities generally chains X509 Certificates together. X509 Certificate provides information like , URL, Organization, Signature etc.
Verify Certificate Chain
Say we have 3 certicate chain. We want to verify them orderly. We can use -partial_chain option. with the following steps.
c1is the leaf certificatec2is middle certificatec3is the root certificate
Verify c1
We will verify c1 by using c2 certificate
$ openssl verify -CApath /dev/null -partial_chain -trusted c2 c1
Verify c2
We will verify c2 using c3 certificate
$ openssl verify -CApath /dev/null -partial_chain -trusted c3 c2
Verify c3
We will verify c3 using Google.pem certificate.In this step we do not need -partial_chain because Google.pem is self signed certificate which means root certificate.
$ openssl verify -CApath /dev/null -trusted /etc/ssl/certs/Google.pem c3
Ismail, I was almost in tears 😉 before I saw this and -partial_chain, in particular. I knew there had to be a way to avoid having to specify a root cert. I grepped the openssl verify “app” to see all the verify options, but didn’t think to do same for openssl itself. Do you know if -partial_chain is relatively new? Thanks a ton!
Hi Mark, I try to provide reliable tutorials and as a part of this openssl have `-partial_chain option which can be used with verify command.