Certificat and chain verification


A certificate check is equivalent to an authentication.


Issued by Trusted CA ?

In other words, the top of the chain, the root certificate, must be issued by a trusted certificate authority (CA) in order to have a trusted connection.

Still valid

It check that the certificate is still valid.


It check that the certificate is related to the site contacted (e.g. For a website, the Common Name contains the hostname).

Not revoked

The certificate should not be in the certificat revoked list.



To verify a pem certificate with its chain, you can use the verify command of openssl


openssl verify -untrusted  chain.pem cert.pem


  • untrusted is used to point to the file with an intermediate certificate if any.

You can also create the whole chain in one file

In TLS, to verify the certificate, the remote client must receive the issuing CA certificates via the TLS handshake or via public-key infrastructure. This means that the public-key certificate file must:

  • include the server certificate first,
  • then the issuing CA(s)

(bottom-up order)


error 20 at 0 depth lookup:unable to get local issuer certificate

If you got an error with openssl verify such as:

fullchain.pem: CN = server01.bytle.net
error 20 at 0 depth lookup:unable to get local issuer certificate

The error number (in this case 20) can be seen in the man verify documentation, section DIAGNOSTICS

 20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate
           the issuer certificate could not be found: this occurs if the issuer certificate of an untrusted certificate cannot be

Possible solution:

  • You forgot to add the intermediate certificate as untrusted. ie
openssl verify -untrusted  intermediate.pem cert.pem
  • Otherwise you need to create the chain in one file

Powered by ComboStrap