[openssl-users] cert chain file ordering question
Viktor Dukhovni
openssl-users at dukhovni.org
Wed Jan 10 00:55:50 UTC 2018
> On Jan 9, 2018, at 7:28 PM, Norm Green <norm.green at gemtalksystems.com> wrote:
>
> It still doesn't verify correctly.
Or correctly fails to verify?
> To simplify, I tried it with 1 intermediate CA. Here's the chain:
>
> rootCa.pem - self-signed root cert. CN = rootCA
> firstIntermedCa.pem - intermediate CA cert signed by rootCa.pem. CN = EmeaCA
> secondIntermedCa.pem - intermediate CA cert signed by firstIntermedCa.pem. CN = KapitalCA
Without the certificates (no private keys, just the certs) in question it quite
difficult to offer much help.
> openssl verify -verbose -show_chain -CAfile rootCa.pem -untrusted firstIntermedCa.pem secondIntermedCa.pem
> 1.3.6.1.4.1.47749.1.1 = userCA, CN = KapitalCA
> error 20 at 0 depth lookup: unable to get local issuer certificate
> error secondIntermedCa.pem: verification failed
In addition to posting the certificates in question, please post (again even if
posted previously) what version of OpenSSL you're using, the output of:
$ openssl version -a
will suffice.
--
Viktor.
More information about the openssl-users
mailing list