verify-cert [-c certFile] [-r rootCertFile] [-p policy] [-k keychain] [-n] [-L] [-l] [-e emailAddress]
[-s sslHost] [-q]
Verify one or more certificates.
Options:
-c certFile Certificate to verify, in DER or PEM format. Can be specified more than once; leaf
certificate has to be specified first.
-r rootCertFile
Root certificate, in DER or PEM format. Can be specified more than once. If not
specified, the system anchor certificates are used. If one root certificate is
specified, and zero (non-root) certificates are specified, the root certificate is
verified against itself.
-p policy Specify verification policy (ssl, smime, codeSign, IPSec, iChat, basic, swUpdate,
pkgSign, pkinitClient, pkinitServer, eap). Default is basic.
-k keychain Keychain to search for intermediate certs. Can be specified multiple times.
Default is the current user's keychain search list.
-n Avoid searching any keychains.
-L Use local certificates only. If an issuing CA certificate is missing, this option
will avoid accessing the network to fetch it.
-l Specifies that the leaf certificate is a CA cert. By default, a leaf certificate
with a Basic Constraints extension with the CA bit set fails verification.
-e emailAddress
Specify email address for the smime policy.
-s sslHost Specify SSL host name for the ssl policy.
-q Quiet, no stdout or stderr.
Examples
security> verify-cert -c applestore0.cer -c applestore1.cer -p ssl -s store.apple.com
security> verify-cert -r serverbasic.crt
“Even in the common affairs of life, in love, friendship, and marriage, how little security have we when we trust our happiness in the hands of others!” ~ William Hazlitt (On Living to One's-Self)
Related macOS commands:
security - Administer Keychains, keys, certificates and the Security framework.