In general, in the commands below, no errors being output means there are no problems with file formats, connections, handshakes, etc. Seeing OK is definitely a good thing.

Note that any pipe to awk/grep/sed/etc. below can be removed to yield additional information you might find useful!

X.509 certificates

Verify that pubkey.crt is in PEM format.

openssl x509 -in pubkey.crt -noout

Print information about pubkey.crt.

openssl x509 -in ~/pubkey.pem -text

Verify that the signing CA chain rootCA.crt signed the public key certificate pubkey.crt.

openssl verify -verbose -CAfile rootCA.crt pubkey.crt

Print each certificate in the certificate chain chain.crt successively in PEM format.

openssl crl2pkcs7 -nocrl -certfile chain.crt \
    | openssl pkcs7 -print_certs -text \
    | awk '/-----BEGIN CERTIFICATE-----/ { x = 1; } x { print $0; } /-----END CERTIFICATE-----/ { x = 0; }'

Print the issuer information and fingerprint of each certificate in the chain chain.crt.

openssl crl2pkcs7 -nocrl -certfile chain.crt \
    | openssl pkcs7 -print_certs -text \
    | grep -A 1 '\(Serial\|Issuer:\)' \
    | grep -v '\(Valid\|^--\)' \
    | sed -E -e 's/^[[:space:]]+//' \
    | awk '/^Serial/ { printf "\n"; } { print $0; }'; echo

TLS connections

See if a TLS handshake to a given domain succeeds.

echo | openssl s_client -connect facebook.com:443 | grep Verification