Hello,

just in case you want to check a webserver installation (which is not explicitly mentioned in Viktor's answer) I want to add this...

In this case (IMHO) the s_client tool of openssl can do what you need. Try

    openssl s_client -connect yourhost.example.org:443 -CAfile SpecialCAFile.pem

where "SpecialCAFile.pem" only contains the root certificate of your "Root X" CA. This gives quite a bit of text as output. Look for a line "Verification: OK" in this output (usually after the PEM-encoded server certificate), if you can find it the certificate chain should be OK. Otherwise you'll find something like "Verification error: unable to get local issuer certificate"

Hope this helps,
Ted
;)

On 2021-01-05 13:43, Yassine Chaouche wrote:
Dear list,

I would like to learn how to use openssl tools to make sure
a chained certificate is valid ?

example :

Let's say I got the Cert certificate signed by Intermdiate
X, but by making the full chain certificate I inadvertly
inserted Intermediate Y instead of X. The (broken)
certificate chain inside Cert would be :

Cert < Intermediate Y < Root X

How do I detect this error with openssl tools ? are there
tools that print issuer and subject of each certificate in
a chain ?

Thanks for your guidance.


Reply via email to