openssl verify with concatenated CA
Tomas Mraz
tomas at openssl.org
Thu Dec 22 07:25:52 UTC 2022
On Wed, 2022-12-21 at 17:26 +0000, Bala Duvvuri via openssl-users
wrote:
> I have a concatenated file containing root CA and intermediate CA
> (say concat.pem, having the 2 CA certificates) copied to a directory
> say "ca"
>
> I have a entity certificate (cert1) signed by above intermediate CA
> (say inter.pem)
>
> The observation is
>
> This command works : openssl verify -CAfile ca/concat.pem cert1
>
> This command does not work: openssl verify -CApath ca cert1 ((ca
> directory has concat.pem in hash.0 format))
> But if we copy the intermediate CA as well to the ca/ directory, the
> above command works
Because the -CApath option expects each of the CA certificates to be
placed in the ca directory in a separate file with the hash.x symlink.
Basically the second certificate in the concat.pem file is ignored if
placed in -CApath directory.
--
Tomáš Mráz, OpenSSL
More information about the openssl-users
mailing list