openssl verify with concatenated CA
b_duvvuri at yahoo.com
Thu Dec 22 07:34:14 UTC 2022
Thank you Tomas for the clarification.
Bala On Thursday, 22 December, 2022, 12:55:56 pm IST, Tomas Mraz <tomas at openssl.org> wrote:
On Wed, 2022-12-21 at 17:26 +0000, Bala Duvvuri via openssl-users
> I have a concatenated file containing root CA and intermediate CA
> (say concat.pem, having the 2 CA certificates) copied to a directory
> say "ca"
> I have a entity certificate (cert1) signed by above intermediate CA
> (say inter.pem)
> The observation is
> This command works : openssl verify -CAfile ca/concat.pem cert1
> This command does not work: openssl verify -CApath ca cert1 ((ca
> directory has concat.pem in hash.0 format))
> But if we copy the intermediate CA as well to the ca/ directory, the
> above command works
Because the -CApath option expects each of the CA certificates to be
placed in the ca directory in a separate file with the hash.x symlink.
Basically the second certificate in the concat.pem file is ignored if
placed in -CApath directory.
Tomáš Mráz, OpenSSL
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the openssl-users