crypto:certificate:verify

About

A certificate check is an authentication known as Sender Authentication (or asymmetric authentication).

Checks

Issued by Trusted CA ?

The signature of the certificate is verified with the public key to check if it was signed (issued) by a trusted party (usually a trusted root CA)
If the certificate was not signed (issued) by a trusted CA, the connecting device (eg. a web browser) will then check to see if the certificate of the issuing CA was issued by a trusted CA (one step above in the chain), and so on until either:
- a trusted CA is found (at which point a trusted, secure connection will be established)
- a trusted CA can not be found (at which point the device will usually display an error).

In other words, the top of the chain, the root certificate, must be issued by a trusted certificate authority (CA) in order to have a trusted connection.

Still valid

It check that the certificate is still valid.

Identity

It check that the certificate is related to the site contacted (e.g. For a website, the Common Name contains the hostname).

Not revoked

The certificate should not be in the certificat revoked list.

Management

Verify

To verify a pem certificate with its chain, you can use the verify command of openssl

Example:

openssl verify -untrusted  chain.pem cert.pem

where:

untrusted is used to point to the file with an intermediate certificate if any.

You can also create the whole chain in one file

In TLS, to verify the certificate, the remote client must receive the issuing CA certificates via the TLS handshake or via public-key infrastructure. This means that the public-key certificate file must:

include the server certificate first,
then the issuing CA(s)

(bottom-up order)

Support

error 20 at 0 depth lookup:unable to get local issuer certificate

If you got an error with openssl verify such as:

fullchain.pem: CN = server01.bytle.net
error 20 at 0 depth lookup:unable to get local issuer certificate

The error number (in this case 20) can be seen in the man verify documentation, section DIAGNOSTICS

20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate
           the issuer certificate could not be found: this occurs if the issuer certificate of an untrusted certificate cannot be
           found.

Possible solution:

You forgot to add the intermediate certificate as untrusted. ie

openssl verify -untrusted  intermediate.pem cert.pem

Otherwise you need to create the chain in one file

Table of Contents

Certificate and chain verification