How can I verify SSL certificates on the command line?
I'm trying to validate/verify that the rsa key, ca-bundle, and certificate stored here are ok. They are not being served by a webserver. How can I verify them?
Assuming your certificates are in PEM format, you can do:
openssl verify cert.pem
If your "ca-bundle" is a file containing additional intermediate certificates in PEM format:
openssl verify -untrusted ca-bundle cert.pem
If your openssl isn't set up to automatically use an installed set of root certificates (e.g. in
/etc/ssl/certs), then you can use
-CAfileto specify the CA.
Warning, the openssl verify command is more permissive than you might expect! By default, in addition to checking the given CAfile, it also checks for any matching CAs in the system's certs directory e.g. /etc/ssl/certs. To prevent this behavior and make sure you're checking against your particular CA cert given by CAfile, you must also pass a -CApath option with a non-existant directory, e.g.: openssl verify -verbose -CApath nosuchdir -CAfile cacert.pem server.crt