# Verifying a Face Certificate

A Face Certificate is a standard x509v3 certificate and as such, its validity can be determined using conventional cryptographic tools such as OpenSSL:

```batch
openssl verify -CAfile root.pem -verbose face-cert.pem
```

In the above command, `root.pem` can be obtained by calling the `/root-certificate` end-point on the server.&#x20;

As a standard cryptography construct, an x509 certificate can be verified using various libraries in many different languages:

1. **Python** - the `cryptography` package support x509 verification. See [here](https://cryptography.io/en/latest/x509/verification/).
2. **NodeJS** - [pki.js](https://pkijs.org/docs/api/) provides functionality that should help in x509 verification.
3. **C#** - Useful functions can be found in the [System.Security.Cryptography.X509Certificates](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates?view=net-8.0) namespace in .NET 8.
4. Java - [This](https://czetsuya.medium.com/implementing-x509-certificate-validation-in-java-a-step-by-step-guide-90082d597a31) blog article covers a lot of gorund.

While the above list is by no means exhaustive, it should give you an idea of how you can verify certificates on your own server.

However, for the sake of convenience, we also provide an end-point for you to call to check the validity of a Face Certificate.

As before, on the Swagger Docs page authorize using the API Key you setup earlier.

Expand the `/verify-face-certificate` section and then click the `Try it out` button as shown below:

<figure><img src="https://content.gitbook.com/content/3MaK792MtyPjO8jJjWM7/blobs/YYi5X8DG6fLJbjOQqvWm/swagger-generate-face-cert.png" alt=""><figcaption><p>Verifying a previously generated certificate through an API call</p></figcaption></figure>

As before, after clicking the `Try it out` button, the following JSON text will become editable:

```json
{
  "cert_pem": "-----BEGIN CERTIFICATE----- .... -----END CERTIFICATE-----",
  "secp256k1_private_key_base64": "(optional) DFvY0g1DbMA6Yazi+Zmi216v0SiJmks8bp1DT3RoBII="
}
```

`cert_pem` - specifies the certificate to be verified (in PEM format)

`secp256k1_private_key_base64` - when included, this key will be used to decrypt the eID attributes in a Face Certificate.

&#x20;If the certificate includes encrypted attributes and this key is not specified, they will be returned as base64 encoded bytes which can later be decrypted offline using the ECIES algorithm (using your private key).&#x20;

If the attributes were included without specifying a public key for their encryption, this parameter can be omitted and the attributes will be returned as a plain-text JSON string.&#x20;

The process of generating keypairs for use with the API is described [here](https://docs.sensecrypt.com/sensecrypt-v3.1.3/sensecrypt-server/generate-your-first-face-certificate#generating-secp256k1-key-pairs-for-eid-attribute-encryption-optional).