[openssl-users] cert chain file ordering question
Norm Green
norm.green at gemtalksystems.com
Wed Jan 10 00:28:39 UTC 2018
It still doesn't verify correctly.
To simplify, I tried it with 1 intermediate CA. Here's the chain:
rootCa.pem - self-signed root cert. CN = rootCA
firstIntermedCa.pem - intermediate CA cert signed by rootCa.pem. CN = EmeaCA
secondIntermedCa.pem - intermediate CA cert signed by
firstIntermedCa.pem. CN = KapitalCA
openssl verify -verbose -show_chain -CAfile rootCa.pem -untrusted
firstIntermedCa.pem secondIntermedCa.pem
1.3.6.1.4.1.47749.1.1 = userCA, CN = KapitalCA
error 20 at 0 depth lookup: unable to get local issuer certificate
error secondIntermedCa.pem: verification failed
On 1/9/2018 3:57 PM, Viktor Dukhovni wrote:
>
>> On Jan 9, 2018, at 6:43 PM, Norm Green <norm.green at gemtalksystems.com> wrote:
>>
>> What is the correct order of intermediate CA certs in the untrusted chain file?
> The untrusted CA list is a heap, the order is irrelevant.
>
More information about the openssl-users
mailing list