verify-cert [-c certFile] [-r rootCertFile] [-p policy] [-k keychain] [-n] [-L] [-l] [-e emailAddress] [-s sslHost] [-q] Verify one or more certificates. Options: -c certFile Certificate to verify, in DER or PEM format. Can be specified more than once; leaf certificate has to be specified first. -r rootCertFile Root certificate, in DER or PEM format. Can be specified more than once. If not specified, the system anchor certificates are used. If one root certificate is specified, and zero (non-root) certificates are specified, the root certificate is verified against itself. -p policy Specify verification policy (ssl, smime, codeSign, IPSec, iChat, basic, swUpdate, pkgSign, pkinitClient, pkinitServer, eap). Default is basic. -k keychain Keychain to search for intermediate certs. Can be specified multiple times. Default is the current user's keychain search list. -n Avoid searching any keychains. -L Use local certificates only. If an issuing CA certificate is missing, this option will avoid accessing the network to fetch it. -l Specifies that the leaf certificate is a CA cert. By default, a leaf certificate with a Basic Constraints extension with the CA bit set fails verification. -e emailAddress Specify email address for the smime policy. -s sslHost Specify SSL host name for the ssl policy. -q Quiet, no stdout or stderr. Examples security> verify-cert -c applestore0.cer -c applestore1.cer -p ssl -s store.apple.com security> verify-cert -r serverbasic.crt
“Even in the common affairs of life, in love, friendship, and marriage, how little security have we when we trust our happiness in the hands of others!” ~ William Hazlitt (On Living to One's-Self)
Related macOS commands:
security - Administer Keychains, keys, certificates and the Security framework.
codesign - Create and manipulate code signatures.