[openssl-users] certificate chains and verification requirements
Sudarshan Raghavan
sudarshan.t.raghavan at gmail.com
Sun Aug 13 17:24:05 UTC 2017
>> Actually, that's not the reason. The positional [certificates]
>> arguments to verify(1) are not "chains". Only the first (leaf)
>> certificate of each of the argument files is processed.
Ok, that makes sense. Thanks for the update. I was trying this experiment
to understand a client authentication failure in a similar scenario. I can
now look at the code to figure out what is going on.
Regards,
Sudarshan
On Sun, Aug 13, 2017 at 9:49 AM, Viktor Dukhovni <openssl-users at dukhovni.org
> wrote:
>
> > On Aug 13, 2017, at 11:39 AM, Sudarshan Raghavan <
> sudarshan.t.raghavan at gmail.com> wrote:
> >
> > 3. openssl verify -CAfile <root ca> <chain containing leaf, intermediate
> ca 2, intermediate ca 1 and root ca in that order>. This fails with this
> error
> >
> > "error 20 at 0 depth lookup: unable to get local issuer certificate
> > error leafchain.pem: verification failed"
> >
> > I understand the reason for this is, the issuer of leaf certificate
> (intermediate ca 2) is not part of the trusted chain.
>
> Actually, that's not the reason. The positional [certificates]
> arguments to verify(1) are not "chains". Only the first (leaf)
> certificate of each of the argument files is processed.
>
> To import additional chain elements use the [-untrusted file]
> argument to provide additional untrusted certificates with
> which to build the chain.
>
> --
> Viktor.
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170813/56c50f71/attachment.html>
More information about the openssl-users
mailing list