There might be use case where you need to verify that the server certificate is actually signed by a particular CA :
Eg. You have a private CA server and you are having issues with the server certificate signed by that CA.
Lets test <a href="http://google.com" class="autolinkedURL autolinkedURL-url" target="_blank">google.com</a>
<img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1683805587246/4c090985-7f8f-4d3e-a2e4-c1e0bd7e804c.png?height=500" alt class="image--center mx-auto" />
Now concatenate both GTS Root R1 and GTS CA 1c3 cert to one file eg. GTSRootR1.cer
Now export the *<a href="http://.google.com" class="autolinkedURL autolinkedURL-url" target="_blank">.google.com</a>
(Note: all are in PEM format).
<pre><code class="lang-bash">openssl verify -verbose -CAfile GTSRootR1.cer google.cer 
google.cer: OK
</code></pre>
For invalid cert you will get something like below
<pre><code class="lang-bash">openssl verify -verbose -CAfile RootR1.cer google.cer 
CN = *.google.com
error 20 at 0 depth lookup:unable to get local issuer certificate
google.cer: verification failed: 20 (unable to get local issuer certificate)
</code></pre>

There might be use case where you need to verify that the server certificate is actually signed by a particular CA :

Eg. You have a private CA server and you are having issues with the server certificate signed by that CA.

Lets test google.com

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1683805587246/4c090985-7f8f-4d3e-a2e4-c1e0bd7e804c.png?height=500 align="center")

Now concatenate both GTS Root R1 and GTS CA 1c3 cert to one file eg. GTSRootR1.cer

Now export the \*.google.com

(Note: all are in PEM format).

```bash
openssl verify -verbose -CAfile GTSRootR1.cer google.cer 
google.cer: OK
```

For invalid cert you will get something like below

```bash
openssl verify -verbose -CAfile RootR1.cer google.cer 
CN = *.google.com
error 20 at 0 depth lookup:unable to get local issuer certificate
google.cer: verification failed: 20 (unable to get local issuer certificate)
```

Verify server certificate with the CA