[openssl-users] certificate chains and verification requirements

[Sudarshan Raghavan]

Hello OpenSSL users,

I have this certificate chain, root ca -> intermediate ca 1 -> intermediate
ca 2 -> leaf certificate. With this chain, I attempted combinations of
openssl verify commands to understand how it works with certificate chains.

1. openssl verify -CAfile <chain containing certificates of intermediate ca
2, intermediate ca 1 and root ca in that order> <leaf certificate>. This
verifies ok as expected.
2. openssl verify -CAfile <same ca chain as in 1> <chain containing leaf,
intermediate ca 2, intermediate ca 1 and root ca in that order>. This
verifies ok as expected.
3. openssl verify -CAfile <root ca> <chain containing leaf, intermediate ca
2, intermediate ca 1 and root ca in that order>. This fails with this error

"error 20 at 0 depth lookup: unable to get local issuer certificate
error leafchain.pem: verification failed"

I understand the reason for this is, the issuer of leaf certificate
(intermediate ca 2) is not part of the trusted chain. But, the leaf chain
has all the certificates to root ca and root ca is the trusted CA I am
verifying against. I thought this would verify ok but, I am clearly wrong.
I can pass in the intermediate ca certificates using -untrusted option and
it will work. But, I was stumped by 3 and I am curious to know if there is
a document or rfc section explaining the behaviour. I have been trying to
search for something and I am clearly doing a bad job of it cause I have
not been able to find any.

Regards,
Sudarshan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170813/03f32b62/attachment-0001.html>