A certificate can look acceptable when opened by itself and still fail once a service, proxy, or client has to build a trust path. Verifying the chain with OpenSSL catches a missing intermediate, wrong root file, or broken issuer link before the certificate bundle is installed.

OpenSSL starts with the target leaf certificate and builds upward until it reaches a trusted anchor. Use -CAfile for the root or trusted CA bundle and -untrusted for intermediate certificates that may help build the path but should not become trust anchors.

The examples below use three PEM files in the current directory: server.crt for the leaf certificate, intermediate-ca.pem for the intermediate CA, and root-ca.pem for the trusted root CA. Put all options before server.crt because openssl verify treats the first non-option argument as the start of the target certificate list.

Related: How to view certificate details using OpenSSL
Related: How to test a TLS certificate using OpenSSL
Tool: SSL Certificate Chain Checker

Steps to verify a certificate chain using OpenSSL:

  1. Open a terminal in the directory that contains the leaf, intermediate, and trusted root PEM files. 
    $ ls server.crt intermediate-ca.pem root-ca.pem
intermediate-ca.pem  root-ca.pem  server.crt

    If the issuer supplied several intermediate certificates, place them in one PEM file or repeat -untrusted for each intermediate file.

  2. Verify the leaf certificate against the trusted root and the supplied intermediate certificate. 
    $ openssl verify -CAfile root-ca.pem -untrusted intermediate-ca.pem server.crt
server.crt: OK

    server.crt: OK means OpenSSL built a valid path from the leaf certificate through the supplied intermediate certificate to the trusted certificate in root-ca.pem.

  3. Display the chain that OpenSSL built. 
    $ openssl verify -show_chain -CAfile root-ca.pem -untrusted intermediate-ca.pem server.crt
server.crt: OK
Chain:
depth=0: CN=www.example.com (untrusted)
depth=1: CN=Example Intermediate CA (untrusted)
depth=2: CN=Example Root CA

    Depth 0 is the leaf certificate. Certificates marked untrusted came from the chain-building input, not from the trusted root store.

  4. Confirm that the intermediate certificate is actually required when checking a deployment bundle. 
    $ openssl verify -CAfile root-ca.pem server.crt
CN=www.example.com
error 20 at 0 depth lookup: unable to get local issuer certificate
error server.crt: verification failed

    This failure is expected when server.crt was issued by intermediate-ca.pem and the intermediate is not supplied. Install or export the missing intermediate with the leaf certificate before deploying the bundle.

  5. Add TLS server purpose and hostname checks when the certificate will be used by a TLS endpoint. 
    $ openssl verify -CAfile root-ca.pem -untrusted intermediate-ca.pem -purpose sslserver -verify_hostname www.example.com server.crt
server.crt: OK

    A successful chain check alone does not prove that the certificate covers the service hostname. Use -verify_hostname with the DNS name clients will connect to.

  6. Replace any wrong, expired, or missing certificate file and rerun the same verification command until the target certificate returns OK.

    Do not hide a chain failure by moving an intermediate CA into -CAfile unless that intermediate is intentionally trusted as an anchor. For normal chain validation, the trusted root belongs in -CAfile and intermediates belong in -untrusted.