To validate a certificate agains a certificate authority you just have to run
openssl verify -trusted ca_root.pem -untrusted intermediate_ca.pem certificate.pemYou'll see a 'OK' message at the end of the output
cer=certificate.pem
sig_path=signature
root_ca=intermediate_ca.pem
root_pub_key_path=intermediate_ca.key.pem
tbs_path=certificate.tbs
### Extract signature from certificate
# run the following and get the last bit position
openssl asn1parse -in $cer
last_bit_pos=819
openssl asn1parse -in $cer -out $sig_path -noout -strparse $last_bit_pos
### Get fingerprint of the signature, the fingerprint of the TBS Cert and compare them
# 1. Get the fingerprint of the signature with the root key
openssl x509 -in $root_ca -pubkey -noout > $root_pub_key_path
openssl rsautl -in $sig_path -verify -asn1parse -inkey $root_pub_key_path -pubin
# 2. Get the sha1 (or whatever algorithm was used) of the TBS Certificate
openssl asn1parse -in $cer -out $tbs_path -noout -strparse 4
openssl sha1 -c $tbs_path
# Compare the signature fingerprint from step 1 with the sha1 of the tbs certificate.
# if they match, the certificate was sign with the provided rootCaThe TBS certificate is the body of the actual certificate; it contains all the naming and key information held in the certificate. The only information in the actual certificate that is not held in the TBS certificate is the name of the algorithm used to sign the certificate and the signature itself. The TBS certificate is used as the input data to the signature algorithm when the certificate is signed or verified.