How does an SSL certificate chain bundle work?

Question

I've created a chain hierarchy like this.

root-ca ==> signing-ca ==> subordinate-ca ==> server 

It is mentioned to create chain bundle, the lowest should go first.

$ cat server.crt subordinate-ca.crt signing-ca.crt > server.pem 

But verification fails.

$ openssl verify -CAfile root-ca.crt server.pem error 20 at 0 depth lookup:unable to get local issuer certificate 

However, if I change the order it seems to work.

$ cat signing-ca.crt subordinate-ca.crt server.crt > server.pem $ openssl verify -CAfile root-ca.crt server.pem server.pem: OK 

So what would be the error here?

The chain after "cat" looks like below.

-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- 

More info: According to "http://www.herongyang.com/crypto/openssl_verify_2.html", I perform the following test which works.

$ cat signing-ca.crt subordinate-ca.crt > inter.crt $ openssl verify -CAfile root-ca.crt -untrusted inter.crt server.crt server.crt: OK 

Does that mean all the links are good?

OK, I finally discover that this cannot be done through OpenSSL command line (or at least easily). http://openssl.6102.n7.nabble.com/check-certificate-chain-in-a-pem-file-td43871.html

Answer 1

The original order is in fact backwards. Certs should be followed by the issuing cert until the last cert is issued by a known root per IETF's RFC 5246 Section 7.4.2

This is a sequence (chain) of certificates. The sender's certificate MUST come first in the list. Each following certificate MUST directly certify the one preceding it.

See also SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch for troubleshooting techniques.

But I still don't know why they wrote the spec so that the order matters.