[openssl-users] How to verify a cert chain using Openssl command line?

Ben Humpert ben at an3k.de
Mon Jun 29 21:12:18 UTC 2015


Do you use nameConstraints or have specified IP in subjectAltName?
Because OpenSSL can't handle that correctly.

2015-06-29 22:51 GMT+02:00 David Li <dlipubkey at gmail.com>:
> Hi,
>
> As a test, I have created a rootCA, a subCA (signed by the rootCA) and
> a client cert (signed by the subCA). Now I want to use verify,
> s_client and s_server to test them together.
>
> However I searched and tried a number of times but still unsure about
> the correct syntax format in verify command. This is what I did:
>
> cat rootCA.crt subCA.crt > caChain.crt
>
> openssl -verbose -verify -CAflie caChain.crt clientCert.crt
>
> openssl verify -CAfile caChain.crt client/clientCert.crt
> client/clientCert.crt: C = US, ST = California, O = David's company,
> CN = David's client cert, emailAddress = david.li at example.com
> error 47 at 0 depth lookup:permitted subtree violation
>
>
> However it seems my s_client and s_server test is OK:
>
> I created a caChain by cancatenating rootCA and subCA together:
>
> Server:
> openssl s_server -cert server/serverComb.crt -www -CAfile caChain.crt -verify 3
>
> where serverComb.crt = cat of serverCert and server key
>
> Client:
> openssl s_client -CAfile caChina.crt -cert client/clientComb.crt
>
> where clientComb is  = cat of clientCert and clientKey
>
>
> Anyone has any idea why verify command failed?
>
> Thanks.
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


More information about the openssl-users mailing list