Certificat and chain verification

1 - About

A certificate check is equivalent to an authentication.

Issued by Trusted CA ?

  • Check if the certificate was was issued by a trusted party (usually a trusted root CA)
  • If the certificate was not issued by a trusted CA, the connecting device (eg. a web browser) will then check to see if the certificate of the issuing CA was issued by a trusted CA (one step above in the chain), and so on until either:
    • a trusted CA is found (at which point a trusted, secure connection will be established)
    • a trusted CA can not be found (at which point the device will usually display an error).

In other words, the top of the chain, the root certificate, must be issued by a trusted certificate authority (CA) in order to have a trusted connection.

Still valid

  • It check that the certificate is still valid


  • It check that the certificate is related to the site contacted (e.g. For a website, the Common Name contains the hostname).

3 - Management

3.1 - Verify

To verify a pem certificate with its chain, you can use the verify command of openssl


openssl verify -untrusted  chain.pem cert.pem


  • untrusted is used to point to the file with an intermediate certificate if any.
You can also create the whole chain in one file

In TLS, to verify the certificate, the remote client must receive the issuing CA certificates via the TLS handshake or via public-key infrastructure. This means that the public-key certificate file must:

  • include the server certificate first,
  • then the issuing CA(s)

(bottom-up order)

4 - Support

4.1 - error 20 at 0 depth lookup:unable to get local issuer certificate

If you got an error with openssl verify such as:

fullchain.pem: CN = server01.bytle.net
error 20 at 0 depth lookup:unable to get local issuer certificate

The error number (in this case 20) can be seen in the man verify documentation, section DIAGNOSTICS

20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate
           the issuer certificate could not be found: this occurs if the issuer certificate of an untrusted certificate cannot be

Possible solution:

  • You forgot to add the intermediate certificate as untrusted. ie

openssl verify -untrusted  intermediate.pem cert.pem

  • Otherwise you need to create the chain in one file

Data Science
Data Analysis
Data Science
Linear Algebra Mathematics

Powered by ComboStrap