A certificate check is equivalent to an authentication.
Issued by Trusted CA ?
- If the certificate was not signed (issued) by a trusted CA, the connecting device (eg. a web browser) will then check to see if the certificate of the issuing CA was issued by a trusted CA (one step above in the chain), and so on until either:
In other words, the top of the chain, the root certificate, must be issued by a trusted certificate authority (CA) in order to have a trusted connection.
It check that the certificate is still valid.
It check that the certificate is related to the site contacted (e.g. For a website, the Common Name contains the hostname).
The certificate should not be in the certificat revoked list.
openssl verify -untrusted chain.pem cert.pem
- untrusted is used to point to the file with an intermediate certificate if any.
error 20 at 0 depth lookup:unable to get local issuer certificate
If you got an error with openssl verify such as:
fullchain.pem: CN = server01.bytle.net error 20 at 0 depth lookup:unable to get local issuer certificate
The error number (in this case 20) can be seen in the man verify documentation, section DIAGNOSTICS
20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate the issuer certificate could not be found: this occurs if the issuer certificate of an untrusted certificate cannot be found.
- You forgot to add the intermediate certificate as untrusted. ie
openssl verify -untrusted intermediate.pem cert.pem
- Otherwise you need to create the chain in one file