show details:
openssl x509 -in cert.pem -text
extract public key
openssl x509 -pubkey -noout -in cert.pem > pubkey.pem
on Windows
certutil -dump <file>
Verification
openssl verify cert.pem
CN = ***.***.**
error 20 at 0 depth lookup: unable to get local issuer certificate
error cert.pem: verification failed
As you can see, the chain cannot be verified. The Root CA certificate is unknown and the chain cannot be validated. If you want to know what CA issued this certificate (issuer), you can use the following command
openssl x509 -in cert.pem -noout -issuer
issuer= /CN=the name of the CA
Now that we know the issuer, we can check if the Root CA certificate file we have is the correct one by retrieving the subject of the Root CA certificate file. This should match the issuer on the server certificate file.
Note
If it is not showing the expected issuer, it might be issued by an intermediate CA. Scroll down and checkout the source link on how to deal with intermediate certificates.
Retrieve the subject of the Root CA certificate file using this command
openssl x509 -noout -subject -in ca.pem
subject= /CN=the name of the CA
This adds up. Now verify the certificate chain by using the Root CA certificate file while validating the server certificate file by passing the CAfile parameter
openssl verify -CAfile ca.pem cert.pem
cert.pem: OK
Source:
https://medium.com/@superseb/get-your-certificate-chain-right-4b117a9c0fce