Issued by Trusted CA ?

• The signature of the certificate is verified with the public key to check if it was signed (issued) by a trusted party (usually a trusted root CA)
• If the certificate was not signed (issued) by a trusted CA, the connecting device (eg. a web browser) will then check to see if the certificate of the issuing CA was issued by a trusted CA (one step above in the chain), and so on until either:
  • a trusted CA is found (at which point a trusted, secure connection will be established)
  • a trusted CA can not be found (at which point the device will usually display an error).

In other words, the top of the chain, the root certificate, must be issued by a trusted certificate authority (CA) in order to have a trusted connection.

Still valid

It check that the certificate is still valid.

Identity

It check that the certificate is related to the site contacted (e.g. For a website, the Common Name contains the hostname).

Not revoked

The certificate should not be in the certificat revoked list.

Verify

To verify a pem certificate with its chain, you can use the verify command of openssl

Example:

openssl verify -untrusted  chain.pem cert.pem

where:

• untrusted is used to point to the file with an intermediate certificate if any.

error 20 at 0 depth lookup:unable to get local issuer certificate

If you got an error with openssl verify such as:

fullchain.pem: CN = server01.bytle.net
error 20 at 0 depth lookup:unable to get local issuer certificate

The error number (in this case 20) can be seen in the man verify documentation, section DIAGNOSTICS

20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate
           the issuer certificate could not be found: this occurs if the issuer certificate of an untrusted certificate cannot be
           found.

Possible solution:

• You forgot to add the intermediate certificate as untrusted. ie

openssl verify -untrusted  intermediate.pem cert.pem

• Otherwise you need to create the chain in one file