How can one verify a certificate with openssl commandline?
Have read that this can be used to it:
openssl verify -verbose -CAfile cacert.pem server.crt However, I don't know how to get a certificate file (.pem), and what is server.crt?
Any help is appreciated :)
cacert.pem in this case is the public key (or keychain) of the certificate authority that signed the certificate. server.crt is the certificate you are trying to verify. This is often used to check a self-signed certificate before using it because you need the full public key chain of the CA. For 'real' certificates (ie, those signed by a public signing certificate authority), you need a list of all those CAs. Here are the ones Mozilla uses : https://wiki.mozilla.org/CA:IncludedCAs
If you are trying to verify the certificate of a public web server, the easy thing to do is to use SSLLabs test service - https://www.ssllabs.com/ssltest/ . If a private service, use a couple of known good browsers on known clean installs and just right click on the lock and view certificate - it'll tell you who the root CA is and let you know if there are any chain issues.
-CAfile must contain, only, PEM-format certificate(s) for the CA(s) to be trusted and optionally CRLs; in addition to the CA publickey the Subject, Issuer, Validity, SKI, BC, KU, and (possibly) EKU fields from the cert are used. Except for the recently-released 1.1.0, OpenSSL will only verify a cert chain that ends in a root cert, and certs issued by public CAs (practically always) require at least one chain cert between a user cert and the root.