posts:x.509: add certificate verification examples for OpenSSL and GnuTLS.

diff --git a/posts/X.509_certificates.mdwn b/posts/X.509_certificates.mdwn
index 9e30ac72ed871342c4c3059d479b8ed1866d55fe..ad3b77bca122202d3b3d2c55f377be22bc0e6823 100644 (file)
--- a/posts/X.509_certificates.mdwn
+++ b/posts/X.509_certificates.mdwn
@@ -44,6 +44,16 @@ names][SAN].  Just add more `dns_name` entries to your template:
     $ echo 'dns_name = other.gnutls.org' >> server.tmpl
     $ certtool --generate-certificate …
 
+You can verify a certificate if you can supply the whole certificate
+chain.
+
+    $ certtool --verify-chain --infile x509-server.pem --infile x509-ca.pem
+
+With versions of GnuTLS since 2.99.0 (released 2011-04-09), you can
+verify against the global list of trusted CAs.
+
+    $ certtool --verify --load-ca-certificate /etc/ssl/certs/ca-certificates.crt --infile x509-server.pem
+
 OpenSSL
 =======
 
@@ -92,6 +102,11 @@ You can also print certificates with [x509][].
 
     $ openssl x509 -in cert.pem -noout -text
 
+You can verify a certificate if you can supply the whole certificate
+chain with [verify][].
+
+    $ openssl verify cert.pem
+
 PEM
 ===
 
@@ -210,6 +225,7 @@ time.
 [req]: http://www.openssl.org/docs/apps/req.html
 [x509v3_config]: http://www.openssl.org/docs/apps/x509v3_config.html#Subject_Alternative_Name_
 [x509]: http://www.openssl.org/docs/apps/x509.html
+[verify]: http://www.openssl.org/docs/apps/verify.html
 [Debian]: http://debian.org/
 [ca-certificates]: http://packages.debian.org/sid/ca-certificates
 [.pem]: http://en.wikipedia.org/wiki/X.509#Certificate_filename_extensions