Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/strongswan/strongswan/llms.txt

Use this file to discover all available pages before exploring further.

pki --verify validates an X.509 certificate against a CA certificate. It checks the certificate’s signature, validity period, and optionally checks revocation status against a CRL.

Synopsis

pki --verify --in <cert> --cacert <ca> [--crl <crl>]

Options

--in
string
Path to the certificate to verify (PEM or DER). Read from stdin if omitted.
--cacert
string
Path to the CA certificate or directory of CA certificates to verify against. Can be specified multiple times to build an intermediate chain. Also accepts a directory path, in which case all certificate files in that directory are loaded.
--crl
string
Path to a CRL file or directory to check revocation status. Can be specified multiple times. If provided, the certificate’s revocation status is checked against the CRL.

Exit codes

CodeMeaning
0Certificate is valid and trusted
non-zeroVerification failed (invalid signature, expired, revoked, or untrusted issuer)

Examples

Verify a certificate against a CA: 
pki --verify --in moonCert.pem --cacert strongswanCert.pem
Successful verification produces output like: 
verification ok
Verify a certificate and check revocation via CRL: 
pki --verify \
  --in moonCert.pem \
  --cacert strongswanCert.pem \
  --crl strongswan.crl
Verify a certificate against an intermediate CA and a root CA: 
pki --verify \
  --in moonCert.pem \
  --cacert intermediateCert.pem \
  --cacert strongswanCert.pem
Verify using a directory of CA certificates: 
pki --verify \
  --in moonCert.pem \
  --cacert /etc/swanctl/x509ca/
pki --verify performs offline verification only. It does not perform OCSP lookups. To check OCSP revocation, use the charon daemon’s revocation checking mechanism at connection time.
A non-zero exit code does not always indicate a revoked certificate. It may also indicate that the certificate has expired, the signature is invalid, or the issuer is not in the trusted CA set.
Use pki --verify in deployment scripts to validate that issued certificates are well-formed and trusted before copying them to remote hosts.