About
A certificate check is equivalent to an authentication.
Checks
Issued by Trusted CA ?
- The signature of the certificate is verified with the public key to check if it was signed (issued) by a trusted party (usually a trusted root CA)
- If the certificate was not signed (issued) by a trusted CA, the connecting device (eg. a web browser) will then check to see if the certificate of the issuing CA was issued by a trusted CA (one step above in the chain), and so on until either:
- a trusted CA is found (at which point a trusted, secure connection will be established)
- a trusted CA can not be found (at which point the device will usually display an error).
In other words, the top of the chain, the root certificate, must be issued by a trusted certificate authority (CA) in order to have a trusted connection.
Still valid
It check that the certificate is still valid.
Identity
It check that the certificate is related to the site contacted (e.g. For a website, the Common Name contains the hostname).
Not revoked
The certificate should not be in the certificat revoked list.
Management
Verify
To verify a pem certificate with its chain, you can use the verify command of openssl
Example:
openssl verify -untrusted chain.pem cert.pem
where:
- untrusted is used to point to the file with an intermediate certificate if any.
You can also create the whole chain in one file
In TLS, to verify the certificate, the remote client must receive the issuing CA certificates via the TLS handshake or via public-key infrastructure. This means that the public-key certificate file must:
- include the server certificate first,
- then the issuing CA(s)
(bottom-up order)
Support
error 20 at 0 depth lookup:unable to get local issuer certificate
If you got an error with openssl verify such as:
fullchain.pem: CN = server01.bytle.net
error 20 at 0 depth lookup:unable to get local issuer certificate
The error number (in this case 20) can be seen in the man verify documentation, section DIAGNOSTICS
20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate
the issuer certificate could not be found: this occurs if the issuer certificate of an untrusted certificate cannot be
found.
Possible solution:
- You forgot to add the intermediate certificate as untrusted. ie
openssl verify -untrusted intermediate.pem cert.pem
- Otherwise you need to create the chain in one file