Checking whether a certain root CA is trusted on the system
You can spare the call to awk by processing all the certificates using openssl alone. According to this answer on Server Fault the following will use an intermediate conversion to provide the same amount of information (i.e. the issuer for each certificate in the input file) which can be filtered for the data you're looking for:
openssl crl2pkcs7 -nocrl -certfile /etc/ssl/certs/ca-certificates.crt \ | openssl pkcs7 -print_certs -noout \ | grep '^issuer=/C=US/O=company/CN=localhost/OU=engineering'I find this an improvement because it doesn't use a bulky call to awk (which would also be another dependency), and the output of pkcs7 seems much more machine-readable than the whitespace-ridden original output from x509.
Note that you can use the return value of the above grep call to tell whether the given root CA is trusted:
openssl crl2pkcs7 -nocrl -certfile /etc/ssl/certs/ca-certificates.crt \ | openssl pkcs7 -print_certs -noout \ | grep -q '^issuer=/C=US/O=company/CN=localhost/OU=engineering' && echo 'Certificate found!'