[openssl-users] certificate chains and verification requirements

Viktor Dukhovni openssl-users at dukhovni.org
Sun Aug 13 16:49:49 UTC 2017

> On Aug 13, 2017, at 11:39 AM, Sudarshan Raghavan <sudarshan.t.raghavan at gmail.com> wrote:
> 3. openssl verify -CAfile <root ca> <chain containing leaf, intermediate ca 2, intermediate ca 1 and root ca in that order>. This fails with this error
> "error 20 at 0 depth lookup: unable to get local issuer certificate
> error leafchain.pem: verification failed"
> I understand the reason for this is, the issuer of leaf certificate (intermediate ca 2) is not part of the trusted chain.

Actually, that's not the reason.  The positional [certificates]
arguments to verify(1) are not "chains".  Only the first (leaf)
certificate of each of the argument files is processed.

To import additional chain elements use the [-untrusted file]
argument to provide additional untrusted certificates with
which to build the chain.


More information about the openssl-users mailing list