openssl verify with concatenated CA

Tomas Mraz tomas at
Thu Dec 22 07:25:52 UTC 2022

On Wed, 2022-12-21 at 17:26 +0000, Bala Duvvuri via openssl-users
> I have a concatenated file containing root CA and intermediate CA
> (say concat.pem, having the 2 CA certificates) copied to a directory
> say "ca"
> I have a entity certificate (cert1) signed by above intermediate CA
> (say inter.pem)
> The observation is 
> This command works : openssl verify -CAfile ca/concat.pem cert1
> This command does not work: openssl verify -CApath ca cert1  ((ca
> directory has concat.pem in hash.0 format))
> But if we copy the intermediate CA as well to the ca/ directory, the
> above command works

Because the -CApath option expects each of the CA certificates to be
placed in the ca directory in a separate file with the hash.x symlink.
Basically the second certificate in the concat.pem file is ignored if
placed in -CApath directory.

Tomáš Mráz, OpenSSL

More information about the openssl-users mailing list