Verify a certificate with chain with golang crypto library

verify_certificate.go

package main

import (
	"crypto/x509"
	"encoding/pem"
	"io/ioutil"
	"log"
	"os"
)

func main() {
	log.Printf("Usage: verify_certificate SERVER_NAME CERT.pem CHAIN.pem")

	serverName := os.Args[1]

	certPEM, err := ioutil.ReadFile(os.Args[2])
	if err != nil {
		log.Fatal(err)
	}

	rootPEM, err := ioutil.ReadFile(os.Args[3])
	if err != nil {
		log.Fatal(err)
	}

	roots := x509.NewCertPool()
	ok := roots.AppendCertsFromPEM([]byte(rootPEM))
	if !ok {
		panic("failed to parse root certificate")
	}

	block, _ := pem.Decode([]byte(certPEM))
	if block == nil {
		panic("failed to parse certificate PEM")
	}
	cert, err := x509.ParseCertificate(block.Bytes)
	if err != nil {
		panic("failed to parse certificate: " + err.Error())
	}

	opts := x509.VerifyOptions{
		Roots: roots,
		DNSName:       serverName,
		Intermediates: x509.NewCertPool(),
	}

	if _, err := cert.Verify(opts); err != nil {
		panic("failed to verify certificate: " + err.Error())
	}

	log.Printf("verification succeeds")
}

This example is not solving what people are searching for when they find it. The so-called "chain" in this example is trusted and all of its certs are put into the root store. While it is common to place some intermediate certs into a root store for faster verification, certs in the root store do not form a chain. Any certificate in the root store is trusted absolutely without having traverse further up a chain. Hence the word "root".

Can you modify the example to do what the title says? Start with a root certificate and verify a certificate that has one or more intermediate certificates attached to it as a chain.

This example from the docs is likely what people landing here are looking for: https://golang.org/pkg/crypto/x509/#example_Certificate_Verify