Squoggle

You can validate a Certificate’s chain by extracting the Authority Key Identifier from the cert like this:

$ openssl x509 -text -in [cert-name].crt | grep -A 1 "Authority Key Identifier"

You should get a result similar to this:

X509v3 Authority Key Identifier: keyid:FC:8A:50:BA:9E:B9:25:5A:7B:55:85:4F:95:00:63:8F:E9:58:6B:43

This is the Key Identifier from the Intermediate Cert. This should match up with the “Subject Key Identifier” of the Intermediate Cert.

Get the “Subject Key Identifier” of the Intermediate Cert:

$ openssl x509 -text -in [intermediate-cert-name].crt | grep -A 1 "Subject Key Identifier"

You should get a result similar to this:

X509v3 Subject Key Identifier: FC:8A:50:BA:9E:B9:25:5A:7B:55:85:4F:95:00:63:8F:E9:58:6B:43

If the two identifiers match then you have the correct Intermediate Cert for the Cert.

You can now repeat the process with the Intermediate Cert and the root Cert and validate that the root cert you have is the one for the Intermediate.