OpenSSL "verify -CAfile" - Specify Root CA Certificate


How to specify the root CA certificates that close the signing chain for the server certificate for OpenSSl "verify" command? I have downloaded the root CA certificate in a file.



If you have the root CA certificate downloaded in a file, you can provide it to the OpenSSL "verify" command using the "-CAfile" option as shown below:


OpenSSL> verify -untrusted twitter_chain.pem -CAfile DigiCert.pem twitter.pem

twitter.pem: OK

The result is good. The certificate validation passed. Let's review the "verify" command options and arguments again:

  • "twitter.pem" argument specifies the server certificate.
  • "-untrusted twitter_chain.pem" option specifies intermediate CA certificates that used in the signing chain of the server certificate.
  • "-CAfile VeriSign.pem" option specifies the root CA certificate that signs the last intermediate CA certificate in the chain.


OpenSSL "verify" Command

⇒⇒OpenSSL Tutorials

2012-07-24, 7357👍, 0💬