Certificat and chain verification

Certificate Validity Period Not Before Not After Portecle


A certificate check is equivalent to an authentication.


Issued by Trusted CA ?

In other words, the top of the chain, the root certificate, must be issued by a trusted certificate authority (CA) in order to have a trusted connection.

Still valid

It check that the certificate is still valid.


It check that the certificate is related to the site contacted (e.g. For a website, the Common Name contains the hostname).

Not revoked

The certificate should not be in the certificat revoked list.



To verify a pem certificate with its chain, you can use the verify command of openssl


openssl verify -untrusted  chain.pem cert.pem


  • untrusted is used to point to the file with an intermediate certificate if any.

You can also create the whole chain in one file

In TLS, to verify the certificate, the remote client must receive the issuing CA certificates via the TLS handshake or via public-key infrastructure. This means that the public-key certificate file must:

  • include the server certificate first,
  • then the issuing CA(s)

(bottom-up order)


error 20 at 0 depth lookup:unable to get local issuer certificate

If you got an error with openssl verify such as:

fullchain.pem: CN = server01.bytle.net
error 20 at 0 depth lookup:unable to get local issuer certificate

The error number (in this case 20) can be seen in the man verify documentation, section DIAGNOSTICS

20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate
           the issuer certificate could not be found: this occurs if the issuer certificate of an untrusted certificate cannot be

Possible solution:

  • You forgot to add the intermediate certificate as untrusted. ie
openssl verify -untrusted  intermediate.pem cert.pem
  • Otherwise you need to create the chain in one file

Discover More
Certification Chain Path Chrome Dev
Cyrptography - Certificate chain

A certificate can have been issued (signed) by another CA creating a chain (or path). See certificate chain There are several types of certificate: root certificate. The root of the tree. (All root...
Certificate Validity Period Not Before Not After Portecle
Identification Material - Certificate (or Public Key Certificate)

A certificate is a document which permits to define with certainty the owner of the private key (ensures that the party you are communicating with is whom you think.) because it's digitally signed A certificate...
Gmail Tls Security
Postfix - TLS (SSL) configuration

Transport Layer Security (TLS, formerly called SSL) with Postfix It provides: certificate-based authentication and encrypted sessions. An encrypted session protects the information that is transmitted:...
SSL - Handshake

This page describes the TLS handshake process. The TLS handshake process is the first step in a SSL connection where the two parties (client and server): verifies the identity of each other via certification...
Public Key Crypto Pair Key Creation
What is Sender authentication ? (Public Key Authentication based, Certificate-based in Cryptography)

Sender Authentication is based on the digital signature. If you can decrypt the signature successfully, it proves that the message come from: a particular sender or group There is three type of...
Public Key Crypto Pair Key Creation
What is a certification base authentication (also known as Client certification / Mutual TLS authentication) ?

A certification-base authentication is a asymmetric authentication method that verify the identity via certification validation. A signed certificate is presented to the application (server or client)...
Public Key Crypto Pair Key Creation
What is a client certificate authentication ? (SSL/TLS Web)

Client certificate authentication is a certification based authentication mechanism where the client identifies itself to the server by sending a signed certificate. The server just needs to verify the...

Share this page:
Follow us:
Task Runner