On Tue, Jan 05, 2021 at 01:43:12PM +0100, Yassine Chaouche wrote:
> How do I detect this error with openssl tools ? are there
> tools that print issuer and subject of each certificate in
> a chain ?
If, by chain, you mean a PEM file with one or more X509 certificates,
then yes. Suppose the file is "certs.pem":
$ openssl crl2pkcs7 -nocrl -certfile certs.pem |
openssl pkcs7 -print_certs -noout -subject -issuer
If you want to instead verify the chain, against some root CA in some
file (perhaps the very same file, just use certs.pem instead of
roots.pem):
$ openssl verify -untrusted certs.pem -trusted roots.pem certs.pem
You can also check for the expected hostname with
$ openssl verify -untrusted certs.pem -trusted roots.pem \
-verify_hostname www.example.com certs.pem
--
Viktor.
