openssl verify: Validate a Certificate Chain
openssl verify validates a certificate against a set of trusted CAs and intermediate certs.
Chain problems are the most common TLS failure. verify reproduces what a client does and names the exact link that breaks.
What it does
openssl verify builds and checks the chain from a leaf certificate up to a trusted root. -CAfile supplies the trust anchors and -untrusted supplies intermediates that are not themselves trusted.
Common usage
openssl verify -CAfile ca.pem leaf.pem
# leaf plus separate intermediates
openssl verify -CAfile root.pem -untrusted intermediates.pem leaf.pemOptions
| Flag | What it does |
|---|---|
| -CAfile <file> | PEM file of trusted root certificates |
| -untrusted <file> | Intermediate certs needed to build the chain |
| -CApath <dir> | Directory of hashed CA certs |
| -purpose <use> | Check suitability, e.g. sslserver |
| -verbose | Print more detail on the chain build |
Common errors in CI
"error 20 at 0 depth lookup: unable to get local issuer certificate" means the issuer is missing; pass it via -untrusted or -CAfile. "error 21: unable to verify the first certificate" means the leaf has no path to a trusted root. "error 10: certificate has expired" and "error 18: self signed certificate" are exactly what they say. Pass the missing intermediate to clear errors 20 and 21.