Checking if the cert is valid is done via openssl verify cert_file_here.crt. This checks if the certificate chain and format are correct, among others. It can also check if the cert is signed by provided CA file.
Let’s create the CA cert
openssl genrsa -out ca.key 2048
openssl req -new -x509 -days 365 -key ca.key -out ca.crt -subj "/C=US/ST=CA/L=San Francisco/O=My CA/CN=My Certificate Authority"Then let’s create the client cert signed by the CA created earlier
openssl genrsa -out client.key 2048
openssl req -new -key client.key -out client.csr -subj "/C=US/ST=CA/L=Somewhere/O=My Client/CN=somewhere.example.com"
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 365Cert validation is successful
openssl verify -CAfile ca.crt client.crt
client.crt: OKLet’s now see if we verify the client cert with a different CA cert. Create the new CA
openssl genrsa -out ca2.key 2048
openssl req -new -x509 -days 365 -key ca2.key -out ca2.crt -subj "/C=US/ST=NY/L=Over the rainbow/O=Different CA/CN=Different Certificate Authority"Boom, it failed.
openssl verify -CAfile ca2.crt client.crt
C = US, ST = CA, L = Somewhere, O = My Client, CN = somewhere.example.com
error 20 at 0 depth lookup: unable to get local issuer certificate
error client.crt: verification failed