When working with SSL/TLS certificates across different platforms, you'll notice significant differences in how certificate chains are displayed. Windows provides a clear hierarchical view through both GUI tools and certutil, while macOS's Keychain Access presents a less intuitive interface.
To view basic certificate information with OpenSSL:
openssl x509 -in certificate.crt -text -noout
This shows the certificate details but doesn't display the full chain hierarchy. You'll only see the immediate issuer in the output.
For a complete chain view, use these OpenSSL commands:
# For PEM format certificates
openssl crl2pkcs7 -nocrl -certfile certificate.pem | openssl pkcs7 -print_certs -text -noout
# For PKCS12 files (PFX)
openssl pkcs12 -in certificate.pfx -nodes -nokeys | openssl x509 -text -noout
To verify the entire chain against a trusted CA store:
openssl verify -CAfile root-ca.crt -untrusted intermediate.crt end-entity.crt
Where:
root-ca.crtcontains your trusted root certificate(s)intermediate.crtcontains any intermediate certificatesend-entity.crtis your server certificate
When working with PFX files containing full chains:
# Extract all certificates in the chain
openssl pkcs12 -in certificate.pfx -nokeys -out chain.pem -nodes
# Then view them sequentially
openssl crl2pkcs7 -nocrl -certfile chain.pem | openssl pkcs7 -print_certs -text -noout
For macOS users who prefer GUI tools:
# Use security command-line tool
security find-certificate -a -p /Library/Keychains/System.keychain > certs.pem
# Then view with OpenSSL
openssl crl2pkcs7 -nocrl -certfile certs.pem | openssl pkcs7 -print_certs -text -noout
Here's how to examine a remote server's certificate chain:
# Get the complete chain from a server
openssl s_client -showcerts -connect example.com:443 -servername example.com < /dev/null > fullchain.pem
# Then view the chain structure
openssl crl2pkcs7 -nocrl -certfile fullchain.pem | openssl pkcs7 -print_certs -text -noout
For regular certificate chain inspections, consider this bash script:
#!/bin/bash
CERTFILE=$1
echo "Certificate Chain Analysis: $CERTFILE"
echo "====================================="
# Extract and number each certificate in chain
openssl crl2pkcs7 -nocrl -certfile "$CERTFILE" | \
openssl pkcs7 -print_certs -text -noout | \
awk '/subject=/ {print "Certificate " ++i ":"; print} /issuer=/ {print; print "---"}'
Save as chainview.sh and run with ./chainview.sh your_cert.pem
When working across Windows, Linux, and macOS systems, developers often face inconsistent certificate chain visualization. Windows provides clear hierarchical views through both GUI tools and certutil, while macOS Keychain Access presents a flatter representation that obscures the chain relationship.
The standard openssl x509 command only shows immediate issuer information. To properly view the entire chain, use these approaches:
# View complete certificate chain (PEM format)
openssl crl2pkcs7 -nocrl -certfile bundle.pem | openssl pkcs7 -print_certs -text -noout
# For PKCS#12 files (PFX)
openssl pkcs12 -info -in certchain.pfx -nodes -passin pass:yourpasswordWhen preparing certificates for distribution, ensure proper chain order:
# Combine certificates in correct chain order (end-entity first)
cat server.crt intermediate.crt root.crt > fullchain.pem
# Verify chain order visually
openssl crl2pkcs7 -nocrl -certfile fullchain.pem | openssl pkcs7 -print_certs -text -nooutOn macOS, these commands provide better chain visibility:
# Using security CLI tool
security find-certificate -a -p > allcerts.pem
# For specific cert in Keychain
security find-certificate -c "Common Name" -pFor complete chain validation including path building:
openssl verify -verbose -CAfile root.crt -untrusted intermediate.crt server.crt
# With full chain in single file
openssl verify -verbose -CAfile fullchain.pem server.crtFor developers preferring visual representation:
# Generate DOT format for graph visualization
openssl x509 -in cert.pem -noout -subject -issuer | \
awk '/subject/{s=$0} /issuer/{print s" -> "$0}'Pipe this output to Graphviz tools for diagram generation.