[openssl-users] [openssl-dev] where is PEM_read_bio_X509_AUX()

Viktor Dukhovni openssl-users at dukhovni.org
Tue Apr 19 02:44:05 UTC 2016

[ Redirecting to openssl-users at openssl.org ]

On Tue, Apr 19, 2016 at 01:11:38AM +0000, CHOW Anthony wrote:

> I am trying to do “openssl verify –CAfile server.pem” and the command hang.

It is supposed to hang (reading standard input) when (incorrectly)
invoked this way.  You've left out the CAfile filename.  The correct
way to verify a certificate is:

    $ trusted=ta.pem
    $ untrusted=intermediate.pem
    $ subject=server.pem
    $ openssl verify -CAfile $trusted -untrusted $untrusted $subject


 * "ta.pem" contains your trust-anchor (root CA) certificates,
 * "intermediate.pem" contains any intermediate certificates needed to
    build a trust path from a root down to the server certificate,
 * "server.pem" contains the subject certificate to be verified.

Leave out the "-untrusted $untrusted" option if you're verifying
a certificate that is directly issued by a trust-anchor.

With a sufficiently recent version of OpenSSL replace "-CAfile
$trusted" with "-trusted $trusted" to make sure you're not
inadvertently using any of the default trust-anchors installed on
your system.


More information about the openssl-users mailing list