How To Verify Certificate Chain with OpenSSL? – POFTUT

How To Verify Certificate Chain with OpenSSL?

X509 certificates provides the authenticity of provided certificates in a chained manner. Internet world generally uses certificate chains to create and use some flexibility for trust. But this may create some complexity for the system, network administrators and security guys. In this tutorial we will look how to verify a certificate chain.

X509 Certificate

X509 certificates are very popular on the internet. They are used to verify trust between entities. Certificates Authorities generally chains X509 Certificates together. X509 Certificate provides information like , URL, Organization, Signature etc.

Verify Certificate Chain

Say we have 3 certicate chain. We want to verify them orderly. We can use -partial_chain option. with the following steps.

  • c1 is the leaf certificate
  • c2 is middle certificate
  • c3 is the root certificate

Verify c1

We will verify c1 by using c2 certificate

$ openssl verify -CApath /dev/null -partial_chain -trusted c2 c1

Verify c2

We will verify c2 using c3 certificate

$ openssl verify -CApath /dev/null -partial_chain -trusted c3 c2

Verify c3

We will verify c3 using Google.pem certificate.In this step we do not need -partial_chain because Google.pem is self signed certificate which means root certificate.

$ openssl verify -CApath /dev/null  -trusted /etc/ssl/certs/Google.pem c3

LEARN MORE  How To Use OpenSSL s_client To Check and Verify SSL/TLS Of HTTPS Webserver?

2 thoughts on “How To Verify Certificate Chain with OpenSSL?”

  1. Ismail, I was almost in tears 😉 before I saw this and -partial_chain, in particular. I knew there had to be a way to avoid having to specify a root cert. I grepped the openssl verify “app” to see all the verify options, but didn’t think to do same for openssl itself. Do you know if -partial_chain is relatively new? Thanks a ton!


Leave a Comment