Checking for a complete certificate chain

Body

Certificate problems are often due to an incomplete chain.  When using chained certificates, you will have a root certificate, one or more intermediate certificates, and an identity certificate.  The problem is that many times when they are checked in, one or more of the parts will be missing.  To check to see if you have a complete chain, you can perform the following command to verify that the chain is complete.  The root certificate should have the "subject" and "issuer" content the same.  All certs under that should have the "issuer" content being the "subject" of the certificate preceding it in the chain:


$ openssl x509 -issuer -subject -noout -in IBM_ironman_root.txt
issuer= /C=US/O=International Business Machines Corporation/CN=IBM Internal Root CA
subject= /C=US/O=International Business Machines Corporation/CN=IBM Internal Root CA

$ openssl x509 -issuer -subject -noout -in IBM_ironman_intermediate.txt
issuer= /C=US/O=International Business Machines Corporation/CN=IBM Internal Root CA
subject= /C=US/O=International Business Machines Corporation/CN=IBM INTERNAL INTERMEDIATE CA

Note that the "issuer" here is actually the "subject" of the previous certificate.


$ openssl x509 -issuer -subject -noout -in IBM_ironman_identity.txt
issuer= /C=US/O=International Business Machines Corporation/CN=IBM INTERNAL INTERMEDIATE CA
subject= /C=US/ST=Irving, TX/L=Irving, TX/O=ibm.com/OU=SWG/CN=ironman.irv.ustx.ibm.com/UID=7D8918897/mail=cdadmin@us.ibm.com

Note that the "issuer" here is actually the "subject" of the previous certificate.


You may also need to check dates of the certificates to make sure the are within the valid working dates:
openssl x509 -text -in certificate-1.txt

        Validity
            Not Before: Nov 12 05:00:00 2015 GMT
            Not After : Nov 11 04:59:59 2018 GMT