How to verify a self-signed root CA certificate along with a wildcard certificate against a server?

Question

I am using a local DNS server 192.168.1.1 which can resolve the local domain custom.local and all its subdomains. That by itself works fine.

In order to establish secure connections I have a self-signed root CA certificate looking like this:

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

A wildcard certificate for *.custom.local that looks like this:

Bag Attributes
    localKeyID: 01 00 00 00 
    friendlyName: Wildcard custom.local
    ...: ... 
    ...: ... 
subject=C = ..., ST = ..., L = ..., O = ..., OU = IT, CN = *.custom.local, emailAddress = ...
issuer=DC = local, DC = custom, CN = CUSTOM-ROOT-CA
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

And a private key for the wildcard certificate that looks like this:

-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----

Now what I'm trying to do is to validate the combination of these three components and this is how I have been doing it so far:

# Check if the given private key belongs to the given wildcard certificate by comparing their derived public keys
[ "$(openssl x509 -pubkey -noout -in ./CUSTOM_WILDCARD.crt)" = "$(openssl rsa -pubout -outform PEM -in ./CUSTOM_WILDCARD.key 2&> /dev/null)" ]

# Verify the trust chain of the wildcard certificate by checking if it was signed by the private key corresponding to the given root CA certificate
openssl verify -CAfile ./CUSTOM_ROOT_CA.crt ./CUSTOM_WILDCARD.crt

But this has a huge disadvantage, or maybe I should say that an important piece is missing. I'm never checking these certificates/key against the actual server and I'm wondering how this can be done.
Let's say I want to test it against test.custom.local:443. How would I do that?
Do I just connect using openssl s_client -connect -CAfile ... -cert ... -key ... and if it exits with code 0, I know that the certificates and key I have locally are the correct ones for that server/domain?

echo | openssl s_client -connect test.custom.local:443 -CAfile ./CUSTOM_ROOT_CA.crt -cert ./CUSTOM_WILDCARD.crt -key ./CUSTOM_WILDCARD.key

It appears to work at first glace, but if for example I change the last letter in the key file, the command still returns the same output with exit code 0, which makes me think that this method might not be safe.