How To Quickly Verify Certificate Chain Files Using OpenSSL
I nearly forgot this command string so I thought I’d write it down for safe keeping.
Occasionally it’s helpful to quickly verify if a given root cert, intermediate cert(s), and CA-signed cert match to form a complete SSL chain.
There are a number of tools to check this AFTER the cert is in production (e.g. curl, openssl s_client, etc) but sometimes it’s helpful to check before doing that. This is especially true nowadays considering how many different intermediates and roots there are. For this type of scenario, you can openssl:
openssl verify -verbose -purpose sslserver -CAfile <file containing both root and intermediates> <file containing signed cert>
If successful, you’ll get back a response like <cert name>: OK
If unsuccessful (or something is missing), you’ll get back a response like:
Error 20 at 0 depth lookup: unable to get local issuer certificate
The error and depth levels can change but you get the idea. Fun stuff.