How to match certificate and its intermediate counterpart

Match certificate and its intermediate counterpart by using X.509 key identifier extension.

All you need to to is to compare the authority key identifier to the subject key identifier. The authority key identifier identifies the public key that corresponds to the private key used to sign a certificate and the subject key identifier identifies the public key that corresponds to the private key used to sign an intermediate certificate.

Display key identifiers

Display X509v3 Authority Key Identifier for certificate.

$ openssl x509 -in certificate.crt -text -noout | awk ' /X509v3 Authority Key Identifier/ {getline;print gensub("^ +keyid:","","g",$0)}'
56:34:05:BF:44:72:56:3D:96:29:D3:FF:31:7B:EF:9D:45:49:39:A9

Display X509v3 Subject Key Identifier for intermediate certificate.

$ openssl x509 -in certificate.intermediate.crt -text -noout | awk ' /X509v3 Subject Key Identifier/ {getline;print gensub("^ +","","g",$0)}'
56:34:05:BF:44:72:56:3D:96:29:D3:FF:31:7B:EF:9D:45:49:39:A9

Compare key identifiers

Compare X509v3 Authority Key Identifier to the X509v3 Subject Key Identifier to verify that certificate matches its intermediate counterpart.

$ CERTIFICATE="certificate.crt"; INTERMEDIATE_CERTIFICATE="certificate.intermediate.crt"; \
  (openssl x509 -in $CERTIFICATE              -text -noout | awk '/X509v3 Authority Key Identifier/ {getline;print gensub("^ +keyid:","","g",$0)}'; \
   openssl x509 -in $INTERMEDIATE_CERTIFICATE -text -noout | awk '/X509v3 Subject Key Identifier/   {getline;print gensub("^ +","","g",$0)}') |     \
     uniq -c | \
     awk '{ if($1 == 2 && NR == 1)  print "OK";  else { print "NOT OK"; exit(11);} }'
OK

Additional notes

Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile