Technical Tip: How to verify a certificate is signed by the correct CA certificate

It has been a known method to identify whether a certificate has been signed by the correct CA certificate by checking the 'Issued to' and 'Issued by' fields on the certificate's general tab. A CA can be easily identified by observing that the 'issued by' and 'Issued to' fields have the same value. The signed certificate should have the 'issued by' as the name of the CA certificate and 'Issued to' as its own CN value.

But there is a more technical way of verifying a certificate by using OpenSSL. OpenSSL has to be downloaded and installed on the PC/laptop where both certificates are available, or they can be stored in a folder in the respective device. Use site below to download OpenSSL.

Linux: Downloads.

Windows: Binaries.

Steps to follow:

• On Windows, download the .exe file, which is not lightweight, and install it normally.
• Copy the file path of the bin folder ('C:\Program Files\OpenSSL-Win64\bin').
• Search for 'Edit the system environment variables' on Windows machine and select 'Environment variables'.
• Select the path and paste the bin folder path as below:

• Confirm OpenSSL is working using below in the Windows command prompt.

• Upon completing the OpenSSL installation, the certificate and the CA certificate need to be downloaded to a folder.
• In the Windows command prompt, type the command below.

openssl verify -CAfile <name of the CAfile> < name of the certificate to be verified>

Red: Folder where certificates are located.

Purple: OpenSSL command for verify.

Yellow: CA certificate.

Green: Certificate signed by the CA.