In OpenSSL, I can verify certificate using the following command.
$ openssl verify -CApath /etc/ssl/certs cert_to_be_verified.pem
I wonder if there is similar command in GnuTLS. The closest one I can find is "certtool". But "certtool" needs to specify the CA file, which is kind of very inconvenient compared with OpenSSL. Thanks a lot for the tip!
Actually certtool does not require you to specify the CA file. It will use your system's certificate list instead.
From the certtool documentation:
The trusted certificate list can be loaded with --load-ca-certificate. If no certificate list is provided, then the system's certificate list is used. Note that during verification multiple paths may be explored. On a successful verification the successful path will be the last one. It can be combined with --verify-purpose or --verify-hostname.
$ certtool --verify --infile google.com.crt
Loaded system trust (168 CAs available)
Loaded 3 certificates, 168 CAs and 0 CRLs
Subject: CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US
Issuer: OU=Equifax Secure Certificate Authority,O=Equifax,C=US
Checked against: OU=Equifax Secure Certificate Authority,O=Equifax,C=US
Output: Verified. The certificate is trusted.
Subject: CN=Google Internet Authority G2,O=Google Inc,C=US
Issuer: CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US
Checked against: CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US
Output: Verified. The certificate is trusted.
Subject: CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US
Issuer: CN=Google Internet Authority G2,O=Google Inc,C=US
Checked against: CN=Google Internet Authority G2,O=Google Inc,C=US
Output: Verified. The certificate is trusted.
Chain verification output: Verified. The certificate is trusted.