openssl-verify
TLDR
Verify certificate
$ openssl verify [certificate.crt]
Verify with CA file$ openssl verify -CAfile [ca.crt] [certificate.crt]
Verify with CA directory$ openssl verify -CApath [/etc/ssl/certs/] [certificate.crt]
Verify certificate chain$ openssl verify -CAfile [ca.crt] -untrusted [intermediate.crt] [leaf.crt]
Show verification details$ openssl verify -verbose [certificate.crt]
SYNOPSIS
openssl verify [options] cert...
DESCRIPTION
openssl verify verifies certificate chains against trusted CAs. It checks signatures, validity periods, and trust chains.
Returns 0 for valid certificates, non-zero for invalid.
PARAMETERS
-CAfile file
CA certificate file.-CApath dir
CA certificate directory.-untrusted file
Untrusted intermediates.-partial_chain
Allow partial chain.-verbose
Verbose output.-x509_strict
Strict X.509 checking.-attime time
Verification time.-purpose purpose
Certificate purpose.
VERIFICATION CHECKS
$ - Signature validity
- Validity period
- Trust chain to CA
- Key usage
- Certificate purpose
- Validity period
- Trust chain to CA
- Key usage
- Certificate purpose
EXAMPLE
$ # Verify server certificate
openssl verify -CAfile ca-bundle.crt server.crt
# Output: server.crt: OK
openssl verify -CAfile ca-bundle.crt server.crt
# Output: server.crt: OK
CAVEATS
Doesn't check revocation by default. System CA store location varies. Use -verbose for diagnostic info.
HISTORY
Certificate verification is fundamental to PKI, with openssl verify providing command-line access to OpenSSL's verification functions.
SEE ALSO
openssl-x509(1), openssl-s_client(1), openssl-crl(1)
