Linux command
verify 命令
文本
复制后可按需替换文件名、目录或参数。
常用示例
Verify a certificate
openssl verify [certificate.pem]
Verify with a specific CA file
openssl verify -CAfile [ca-bundle.pem] [certificate.pem]
Verify with intermediate certificates
openssl verify -untrusted [intermediate.pem] [certificate.pem]
Verify and show the certificate chain
openssl verify -show_chain [certificate.pem]
Verify hostname matches certificate
openssl verify -verify_hostname [example.com] [certificate.pem]
Verify with verbose output
openssl verify -verbose [certificate.pem]
Verify with CRL checking
openssl verify -crl_check -CRLfile [crl.pem] [certificate.pem]
说明
openssl verify validates X.509 certificate chains by checking signatures, validity periods, and trust anchors. It builds a chain from the target certificate up to a trusted root CA, verifying each link. The command first constructs the certificate chain by locating issuer certificates, then validates each certificate's signature, expiration dates, and constraints. The chain must terminate at a trusted root CA found in the CA file, CA path, or system trust store. Verification returns 0 on success. Failures produce error codes indicating the problem: expired certificates, signature failures, missing issuers, or constraint violations. Common errors include "unable to get local issuer certificate" (missing intermediate) and "certificate has expired". The command is typically invoked as openssl verify rather than standalone verify.
参数
- -CAfile _file_
- File containing trusted CA certificates in PEM format.
- -CApath _dir_
- Directory containing trusted CA certificates (hashed filenames).
- -untrusted _file_
- File containing untrusted intermediate certificates for chain building.
- -trusted _file_
- File containing explicitly trusted certificates.
- -show_chain
- Display the full certificate chain that was built.
- -verbose
- Print extra information about verification process.
- -verify_hostname _hostname_
- Verify that the certificate matches the specified hostname.
- -verify_email _email_
- Verify that the certificate matches the specified email address.
- -verify_ip _ip_
- Verify that the certificate matches the specified IP address.
- -verify_depth _num_
- Maximum depth of certificate chain to verify.
- -crl_check
- Check end-entity certificate against CRL.
- -crl_check_all
- Check entire chain against CRL.
- -CRLfile _file_
- File containing Certificate Revocation List.
- -partial_chain
- Accept chains anchored by intermediate certificates.
- -purpose _purpose_
- Intended use: sslclient, sslserver, smimesign, smimeencrypt, etc.
- -no_check_time
- Do not check certificate validity against current time.
- -attime _timestamp_
- Verify the chain at the specified UNIX timestamp instead of current time.
- -policy _oid_
- Require the specified certificate policy OID in the chain.
- -CAstore _uri_
- URI to a store of trusted CA certificates (e.g., file: or store:).
FAQ
What is the verify command used for?
openssl verify validates X.509 certificate chains by checking signatures, validity periods, and trust anchors. It builds a chain from the target certificate up to a trusted root CA, verifying each link. The command first constructs the certificate chain by locating issuer certificates, then validates each certificate's signature, expiration dates, and constraints. The chain must terminate at a trusted root CA found in the CA file, CA path, or system trust store. Verification returns 0 on success. Failures produce error codes indicating the problem: expired certificates, signature failures, missing issuers, or constraint violations. Common errors include "unable to get local issuer certificate" (missing intermediate) and "certificate has expired". The command is typically invoked as openssl verify rather than standalone verify.
How do I run a basic verify example?
Run `openssl verify [certificate.pem]` in a terminal, then adjust file names, paths, flags, or remote targets for your system.
What does -CAfile _file_ do in verify?
File containing trusted CA certificates in PEM format.