Menu
i created a PEM certificate from a PFX certificate and wanted to verify it. However i ran into this issue, try to find some answers, but i didnt and therefore i dont know how to fix it. could you please advice? thank you very much.
C:\OpenSSL-Win32\bin>set OPENSSL_CONF=C:\OpenSSL-Win32\bin\openssl.cfg C:\OpenSSL-Win32\bin>openssl OpenSSL> verify C:\mycert.pem C:\mycert.pem: C = CZ, ST = Sprava zakladnich registru, L = "Obec=Praha,Ulice=Na Vapence,PSC=13000", O = 72054506, OU = 4333, CN = tstcawilly.szr.local error 20 at 0 depth lookup:unable to get local issuer certificate error in verify OpenSSL> OpenSSL> verify -CAfile C:\mycert.pem C:\mycert.pem C:\mycert.pem: C = CZ, ST = Sprava zakladnich registru, L = "Obec=Praha,Ulice=Na Vapence,PSC=13000", O = 72054506, OU = 4333, CN = tstcawilly.szr.local error 20 at 0 depth lookup:unable to get local issuer certificate error in verify OpenSSL> 
931
When ssl certificate problem unable to get local issuer certificate error is caused by a self-signed certificate, the fix is to add the certificate to the trusted certificate store. Open the file ca-bundle. crt located in the directory above, then copy and paste the Git SSL certificate to the end of the file.
The most common cause of the "unable to get local issuer certificate" error is a misconfigured web server that fails to send all of the intermediate certificates with the server certificate, when the client and server perform the SSL/TLS negotiation.
To verify a certificate with it's CRL, download the certificate and get its CRL Distribution Point. In the output you should see the CRL url. Next, download the CRL with the wget function. It will be in der format, so we will be converting it to pem format for the openssl verify function to work.
OpenSSL> verify -CAfile C:\mycert.pem C:\mycert.pem
Close. You need to add the CA's root certificate with -CAfile; and not your end entity certificate. Something like:
openssl verify -CAfile C:\ca-cert.pem C:\mycert.pem Also, if there is an intermediate certificate, then it needs to be added to mycert.pem. So mycert.pem will actually have two (or more) certificates (rather than one).
Adding all required certificates to mycert.pem in an effort to build a valid chain solves the "which directory" problem. Its a well known problem in PKI. Essentially, a client (like me) does not know where to go to get missing intermediate certificates.
120
Another case is pathlen can only be set when CA:TRUE in basicConstraints.
Example:
basicConstraints=CA:TRUE,pathlen:10 # Okay basicConstraints=CA:FALSE,pathlen:10 # Invalid! If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
