Verify a certificate chain using openssl verify

Learn verify a certificate chain using openssl verify with practical examples, diagrams, and best practices. Covers openssl, certificate development techniques with visual explanations.
Tags:
Categories:

Verifying Certificate Chains with OpenSSL

Hero image for Verify a certificate chain using openssl verify

Learn how to use the openssl verify command to validate SSL/TLS certificate chains, ensuring trust and authenticity in your systems.

In the world of secure communication, SSL/TLS certificates are fundamental for establishing trust. A certificate chain is a hierarchical list of certificates, starting with an end-entity certificate (your server's certificate) and ending with a trusted root certificate authority (CA). Verifying this chain is crucial to ensure that the certificate presented by a server is legitimate and issued by a trusted source. This article will guide you through using the openssl verify command to perform these essential checks.

Understanding Certificate Chains

A certificate chain typically consists of three main components:

  1. End-Entity Certificate: This is the certificate issued to your server or domain. It's the one your browser or client directly receives.
  2. Intermediate Certificate(s): These certificates act as a bridge between the end-entity certificate and the root CA. A root CA rarely signs end-entity certificates directly; instead, it delegates this authority to intermediate CAs.
  3. Root Certificate: This is a self-signed certificate belonging to a trusted Certificate Authority. Root certificates are pre-installed in operating systems and web browsers, forming the foundation of trust.

For a certificate to be considered valid, every certificate in its chain must be verifiable up to a trusted root CA. If any link in this chain is broken, expired, or untrusted, the entire chain fails validation.

flowchart TD
    A[End-Entity Certificate] --> B[Intermediate CA Certificate 1]
    B --> C[Intermediate CA Certificate 2 (Optional)]
    C --> D[Root CA Certificate]
    D -- Trusted by --> E[Client/Browser Trust Store]

Typical Certificate Chain Hierarchy

Using openssl verify for Validation

The openssl verify command is a powerful utility for checking the validity of a certificate chain. It takes a certificate file and, optionally, a file containing trusted CA certificates (the 'trust store' or 'CA bundle') to perform the validation. The command attempts to build a chain from the provided certificate up to one of the trusted CAs.

Basic Verification

To verify a single certificate against your system's default trust store, you can simply provide the certificate file:

openssl verify my_server_certificate.crt

If the certificate is valid and its chain can be traced to a trusted root in your system's default store, you'll see output similar to my_server_certificate.crt: OK.

openssl verify my_server_certificate.crt

Verifying a certificate against the default trust store.

Verifying with a Custom CA Bundle

Often, you'll need to verify a certificate against a specific set of trusted CA certificates, especially in custom environments or when dealing with private CAs. You can provide a custom CA bundle using the -CAfile or -CApath options.

  • -CAfile <file>: Specifies a single file containing concatenated trusted CA certificates (PEM format).
  • -CApath <directory>: Specifies a directory containing trusted CA certificates, where each certificate is in a separate file and the directory has been processed with c_rehash or openssl rehash to create symbolic links.

Example with -CAfile

Let's say you have your server certificate (server.crt), an intermediate certificate (intermediate.crt), and a root certificate (root.crt). You would first combine the intermediate and root certificates into a single CA bundle file.

cat intermediate.crt root.crt > ca-bundle.crt
openssl verify -CAfile ca-bundle.crt server.crt

Combining CA certificates and verifying against a custom CA bundle.

Troubleshooting Verification Failures

If openssl verify returns an error, it will usually provide a reason code. Common reasons for failure include:

  • unable to get local issuer certificate: The certificate's issuer is not found in the provided CA bundle or the system's trust store. This often means a missing intermediate certificate or an untrusted root.
  • certificate has expired or certificate is not yet valid: The certificate's validity period is outside the current date.
  • self signed certificate in certificate chain: A self-signed certificate (like a root CA) was encountered, but it's not trusted.
  • unable to get issuer certificate: Similar to the first, but might indicate a broken chain where an intermediate's issuer cannot be found.

To get more verbose output, use the -verbose flag:

openssl verify -verbose -CAfile ca-bundle.crt server.crt

Using the verbose flag for detailed error messages.

1. Prepare your certificates

Ensure you have your server certificate (.crt or .pem) and any intermediate CA certificates. If you have a root CA certificate, include it as well. All certificates should be in PEM format.

2. Create a CA bundle (if needed)

If you're not relying on the system's default trust store, concatenate your intermediate and root CA certificates into a single file (e.g., cat intermediate.crt root.crt > ca-bundle.crt).

3. Run the verification command

Execute openssl verify with your server certificate and the appropriate CA options. For example: openssl verify -CAfile ca-bundle.crt server.crt.

4. Interpret the results

Look for OK for a successful verification. If an error occurs, examine the error message, potentially using the -verbose flag, to diagnose the issue (e.g., missing intermediates, expired certificates).