openssl verify with concatenated CA

Bala Duvvuri b_duvvuri at
Thu Dec 22 07:34:14 UTC 2022

 Thank you Tomas for the clarification.

Bala     On Thursday, 22 December, 2022, 12:55:56 pm IST, Tomas Mraz <tomas at> wrote:  
 On Wed, 2022-12-21 at 17:26 +0000, Bala Duvvuri via openssl-users
> I have a concatenated file containing root CA and intermediate CA
> (say concat.pem, having the 2 CA certificates) copied to a directory
> say "ca"
> I have a entity certificate (cert1) signed by above intermediate CA
> (say inter.pem)
> The observation is 
> This command works : openssl verify -CAfile ca/concat.pem cert1
> This command does not work: openssl verify -CApath ca cert1  ((ca
> directory has concat.pem in hash.0 format))
> But if we copy the intermediate CA as well to the ca/ directory, the
> above command works

Because the -CApath option expects each of the CA certificates to be
placed in the ca directory in a separate file with the hash.x symlink.
Basically the second certificate in the concat.pem file is ignored if
placed in -CApath directory.

Tomáš Mráz, OpenSSL

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-users mailing list