How to validate certificates using OpenSSL

In a trust chain, intermediates can be used and it can be hard to follow the chain. Here’s a few commands that can be helpful when debugging a chain:

  • openssl x509 -text -in <cert>

  • Displays information, most importantly the subject name and issuer. If you want to follow the chain up, look at the issuer and find the permission file with a matching subject name. If there is no matching subject name, either you don’t have all the files for the chain, or the chain is broken and will result in “failed to get grant…”

  • openssl verify -partial_chain -CAfile <intermediate> <leaf>

    • If there are doubts that the leaf has been signed by a specific intermediate, use this command. If it checks out, you’ll get the following result: <leaf>: OK

    • If the intermediate did not sign the leaf, you’ll get the subject name followed by error 20. Error 20 can also incorrectly happen due to SEC-2299. This has been fixed in 6.1.2.16 and later

Checking if intermediate signed leaf:

Checking if leaf signed intermediate: