[openssl-users] cert chain file ordering question

Norm Green norm.green at gemtalksystems.com
Wed Jan 10 00:28:39 UTC 2018


It still doesn't verify correctly.

To simplify, I tried it with 1 intermediate CA. Here's the chain:

rootCa.pem - self-signed root cert. CN = rootCA
firstIntermedCa.pem - intermediate CA cert signed by rootCa.pem. CN = EmeaCA
secondIntermedCa.pem - intermediate CA cert signed by 
firstIntermedCa.pem.  CN = KapitalCA


openssl verify -verbose -show_chain -CAfile rootCa.pem -untrusted 
firstIntermedCa.pem secondIntermedCa.pem
1.3.6.1.4.1.47749.1.1 = userCA, CN = KapitalCA
error 20 at 0 depth lookup: unable to get local issuer certificate
error secondIntermedCa.pem: verification failed







On 1/9/2018 3:57 PM, Viktor Dukhovni wrote:
>
>> On Jan 9, 2018, at 6:43 PM, Norm Green <norm.green at gemtalksystems.com> wrote:
>>
>> What is the correct order of intermediate CA certs in the untrusted chain file?
> The untrusted CA list is a heap, the order is irrelevant.
>



More information about the openssl-users mailing list