Skip to content
Latchkey

openssl verify: Validate a Certificate Chain

openssl verify validates a certificate against a set of trusted CAs and intermediate certs.

Chain problems are the most common TLS failure. verify reproduces what a client does and names the exact link that breaks.

What it does

openssl verify builds and checks the chain from a leaf certificate up to a trusted root. -CAfile supplies the trust anchors and -untrusted supplies intermediates that are not themselves trusted.

Common usage

Terminal
openssl verify -CAfile ca.pem leaf.pem
# leaf plus separate intermediates
openssl verify -CAfile root.pem -untrusted intermediates.pem leaf.pem

Options

FlagWhat it does
-CAfile <file>PEM file of trusted root certificates
-untrusted <file>Intermediate certs needed to build the chain
-CApath <dir>Directory of hashed CA certs
-purpose <use>Check suitability, e.g. sslserver
-verbosePrint more detail on the chain build

Common errors in CI

"error 20 at 0 depth lookup: unable to get local issuer certificate" means the issuer is missing; pass it via -untrusted or -CAfile. "error 21: unable to verify the first certificate" means the leaf has no path to a trusted root. "error 10: certificate has expired" and "error 18: self signed certificate" are exactly what they say. Pass the missing intermediate to clear errors 20 and 21.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →