- openssl x509 -in "$CA_FILE" -noout -text | grep "CA Issuers" | grep "/$ca.crt" > /dev/null || error "CA Issuers field is wrong for $ca"
- openssl x509 -in "$CA_FILE" -noout -text | grep "Subject: " | grep "CN=$name" > /dev/null || error "Subject field did not verify"
+ EXT=`openssl x509 -in "$CA_FILE" -noout -text`
+
+ verifyExtlist "$EXT"
+
+ echo "$EXT" | grep "Subject: " | grep "CN=$name" > /dev/null || error "Subject field did not verify"
+
+ echo "$EXT" | grep -A 2 "Basic Constraints" | grep "CA:TRUE" > /dev/null || error "Basic Constraints field is wrong for $ca"
+ echo "$EXT" | grep -A 2 "Key Usage" | grep "^ *Certificate Sign, CRL Sign$" > /dev/null || error "KeyUsage field is wrong for $ca"
+
+ echo "$EXT" | grep -A 4 "CRL Distribution" | grep "g2.crl.cacert.org/g2/$ca.crl" > /dev/null || error "CRL field is wrong for $ca"
+ echo "$EXT" | grep "CA Issuers" | grep "/$ca.crt" | grep "g2.crt.cacert.org/g2/" > /dev/null || error "CA Issuers field is wrong for $ca"
+ echo "$EXT" | grep "OCSP" | grep "http://g2.ocsp.cacert.org" > /dev/null || error "OCSP field is wrong for $ca"