Assuming your certificates are in PEM format, you can do:
openssl verify cert.pem
If your "ca-bundle" is a file containing additional intermediate certificates in PEM format:
openssl verify -untrusted ca-bundle cert.pem
If your openssl isn't set up to automatically use an installed set of root certificates (e.g. in /etc/ssl/certs), then you can use -CApath or -CAfile to specify the CA.
Assuming your certificates are in PEM format, you can do:
openssl verify cert.pem
If your "ca-bundle" is a file containing additional intermediate certificates in PEM format:
openssl verify -untrusted ca-bundle cert.pem
If your openssl isn't set up to automatically use an installed set of root certificates (e.g. in /etc/ssl/certs), then you can use -CApath or -CAfile to specify the CA.
Here is one-liner to verify a certificate chain:
openssl verify -verbose -x509_strict -CAfile ca.pem -CApath nosuchdir cert_chain.pem
This doesn't require to install CA anywhere.
See https://stackoverflow.com/questions/20409534/how-does-an-ssl-certificate-chain-bundle-work for details.
Update
As noted by Klaas van Schelven, the answer above is misleading as openssl appears to verify only single top certificate per file. So it's necessary to issue multiple verify commands for each certificate chain node placed in separate file.
SSL Cert Location
linux - Using openssl to get the certificate from a server - Stack Overflow
Ever Struggled with SSL/TLS Certificate Chains? Check This Out!
How do I know if my installed SSL certificates are authentic?
Videos
OpenSSL will allow you to look at it if it is installed on your system, using the OpenSSL x509 tool.
openssl x509 -noout -text -in 'cerfile.cer';
The format of the .CER file might require that you specify a different encoding format to be explicitly called out.
openssl x509 -inform pem -noout -text -in 'cerfile.cer';
or
openssl x509 -inform der -noout -text -in 'cerfile.cer';
On Windows systems you can right click the .cer file and select Open. That will then let you view most of the meta data.
On Windows you run Windows certificate manager program using certmgr.msc command in the run window. Then you can import your certificates and view details.
If you're using Windows, you can use console util (PowerShell or Command Prompt)
certutil -dump C:\path\certfile.cer
With SNI
If the remote server is using SNI (that is, sharing multiple SSL hosts on a single IP address) you will need to send the correct hostname in order to get the right certificate.
openssl s_client -showcerts -servername www.example.com -connect www.example.com:443 </dev/null
If you get an error similar to xxx:error:xxx:BIO routines:BIO_lookup_ex:system lib:crypto/bio/bio_addr.c:758:nodename nor servname provided, or not known connect:errno=0, execute the same command without www as the domain may not support it.
You may also get Secure Renegotiation IS NOT supported behind a corporate firewall in which case, a temporary (but dangerous) workaround is the -legacy_renegotiation parameter that can be added to the above command.
Without SNI
If the remote server is not using SNI, then you can skip -servername parameter:
openssl s_client -showcerts -connect www.example.com:443 </dev/null
To view the full details of a site's cert you can use this chain of commands as well:
$ echo | \
openssl s_client -servername www.example.com -connect www.example.com:443 2>/dev/null | \
openssl x509 -text
A one-liner to extract the certificate from a remote server in PEM format, this time using sed:
openssl s_client -connect www.google.com:443 2>/dev/null </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'