Download your favorite Linux distribution at LQ ISO.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 02-17-2012, 04:31 PM   #1
Registered: Apr 2010
Location: Belgium
Distribution: Archlinux
Posts: 53

Rep: Reputation: 1
Question [OpenSSL] Check validity of x509 certificate signature chain


With my electronic id, I have a x509 certificate and I would like to check the validity of this certificate.

I exported and inspect the certificate using
$ pkcs15-tool --read-certificate 02 > mykey.crt
$ openssl x509 -in mykey.crt -issuer -noout
issuer= /C=BE/CN=Citizen CA/serialNumber=200801
I went to the official certificate repository website and downloaded the citizen200801.crt (cf serial number) file and the Belgium Root CA file (actually exporting them into PEM files using firefox).

I'm able to verify the CitizenCA certificate
$ openssl verify -CAfile BelgiumRootCA CitizenCA 
CitizenCA: OK
but I don't understand how to check my certificate
$ openssl verify -CAfile CitizenCA mykey.crt 
mykey.crt: C = BE, CN = Citizen CA, serialNumber = 200801
error 2 at 1 depth lookup:unable to get issuer certificate
Any idea ? Thank you

Last edited by martvefun; 02-17-2012 at 05:18 PM.
Old 02-18-2012, 02:59 AM   #2
Registered: Sep 2011
Location: Houston, TX
Distribution: openSuSE, Fedora, CentOS, Debian,, and others
Posts: 84

Rep: Reputation: Disabled
If I recall correctly openSSL will not verify a Slef-Signed Certificate. But to test you would only use the following to verify a Certificate:
openssl verify mycert.pem
for some examples please refer to the following sites:

If you have you are using the certificate for a web server you could always put the certificate into place and then use the following website to check the certificate:

hope this information helps
Old 02-18-2012, 04:57 AM   #3
Registered: Apr 2010
Location: Belgium
Distribution: Archlinux
Posts: 53

Original Poster
Rep: Reputation: 1
Ok I have found the solution, it was easy. I just needed to put the two certificates in the same file.

$ cat BelgiumRootCA CitizenCA > CAChain
$ openssl verify -CAfile CitizenCA mykey.crt
mykey.crt: OK


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
curlftpfs and x509 client certificate Al_ Linux - Server 1 10-25-2012 10:46 AM
OpenSSL x509: Expecting: CERTIFICATE REQUEST chakkerz Linux - Networking 5 06-10-2010 11:28 AM
ssh with DER x509 certificate umarzuki Linux - Security 3 09-14-2009 08:15 PM
Building a certificate chain from the certificate using openSSL aravinda78 Linux - Security 1 11-10-2008 01:51 AM
Help with x509 certificate and freeswan cmisip Linux - Security 3 08-18-2003 11:18 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:51 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration