Hello,
just in case you want to check a webserver installation (which is not
explicitly mentioned in Viktor's answer) I want to add this...
In this case (IMHO) the s_client tool of openssl can do what you need. Try
openssl s_client -connect yourhost.example.org:443 -CAfile
SpecialCAFile.pem
where "SpecialCAFile.pem" only contains the root certificate of your
"Root X" CA. This gives quite a bit of text as output. Look for a line
"Verification: OK" in this output (usually after the PEM-encoded server
certificate), if you can find it the certificate chain should be OK.
Otherwise you'll find something like "Verification error: unable to get
local issuer certificate"
Hope this helps,
Ted
;)
On 2021-01-05 13:43, Yassine Chaouche wrote:
Dear list,
I would like to learn how to use openssl tools to make sure
a chained certificate is valid ?
example :
Let's say I got the Cert certificate signed by Intermdiate
X, but by making the full chain certificate I inadvertly
inserted Intermediate Y instead of X. The (broken)
certificate chain inside Cert would be :
Cert < Intermediate Y < Root X
How do I detect this error with openssl tools ? are there
tools that print issuer and subject of each certificate in
a chain ?
Thanks for your guidance.
