-   Linux - Security (
-   -   [OpenSSL] Check validity of x509 certificate signature chain (

martvefun 02-17-2012 05:31 PM

[OpenSSL] Check validity of x509 certificate signature chain

With my electronic id, I have a x509 certificate and I would like to check the validity of this certificate.

I exported and inspect the certificate using

$ pkcs15-tool --read-certificate 02 > mykey.crt
$ openssl x509 -in mykey.crt -issuer -noout
issuer= /C=BE/CN=Citizen CA/serialNumber=200801

I went to the official certificate repository website and downloaded the citizen200801.crt (cf serial number) file and the Belgium Root CA file (actually exporting them into PEM files using firefox).

I'm able to verify the CitizenCA certificate

$ openssl verify -CAfile BelgiumRootCA CitizenCA
CitizenCA: OK

but I don't understand how to check my certificate

$ openssl verify -CAfile CitizenCA mykey.crt
mykey.crt: C = BE, CN = Citizen CA, serialNumber = 200801
error 2 at 1 depth lookup:unable to get issuer certificate

Any idea ? Thank you

War3zWad|0 02-18-2012 03:59 AM

If I recall correctly openSSL will not verify a Slef-Signed Certificate. But to test you would only use the following to verify a Certificate:

openssl verify mycert.pem
for some examples please refer to the following sites:

If you have you are using the certificate for a web server you could always put the certificate into place and then use the following website to check the certificate:

hope this information helps

martvefun 02-18-2012 05:57 AM

Ok I have found the solution, it was easy. I just needed to put the two certificates in the same file.


$ cat BelgiumRootCA CitizenCA > CAChain
$ openssl verify -CAfile CitizenCA mykey.crt
mykey.crt: OK

All times are GMT -5. The time now is 02:44 AM.