[openssl-users] cert chain file ordering question

Viktor Dukhovni openssl-users at dukhovni.org
Wed Jan 10 00:55:50 UTC 2018



> On Jan 9, 2018, at 7:28 PM, Norm Green <norm.green at gemtalksystems.com> wrote:
> 
> It still doesn't verify correctly.

Or correctly fails to verify?

> To simplify, I tried it with 1 intermediate CA. Here's the chain:
> 
> rootCa.pem - self-signed root cert. CN = rootCA
> firstIntermedCa.pem - intermediate CA cert signed by rootCa.pem. CN = EmeaCA
> secondIntermedCa.pem - intermediate CA cert signed by firstIntermedCa.pem.  CN = KapitalCA

Without the certificates (no private keys, just the certs) in question it quite
difficult to offer much help.

> openssl verify -verbose -show_chain -CAfile rootCa.pem -untrusted firstIntermedCa.pem secondIntermedCa.pem
> 1.3.6.1.4.1.47749.1.1 = userCA, CN = KapitalCA
> error 20 at 0 depth lookup: unable to get local issuer certificate
> error secondIntermedCa.pem: verification failed

In addition to posting the certificates in question, please post (again even if
posted previously) what version of OpenSSL you're using, the output of:

	$ openssl version -a

will suffice.

-- 
	Viktor.



More information about the openssl-users mailing list