Menu
I'm building a own certificate chain with following componenents:
Root Certificate - Intermediate Certificate - User Certificate
Root Cert is a self signed certificate, Intermediate Certificate is signed by Root and User by Intermediate.
Now I want to verify if a User Certificate has its anchor by Root Certificate.
With
openssl verify -verbose -CAfile RootCert.pem Intermediate.pem
the validation is ok. In the next step I validate the User Cert with
openssl verify -verbose -CAfile Intermediate.pem UserCert.pem
and the validation shows
error 20 at 0 depth lookup:unable to get local issuer certificate
What is wrong?
442
Also, if you have the root and intermediate certs in your trusted certs on Windows, you can double-click the cert file, then go to the "Certification Path" tab to see the chain.
Checks the validity of all certificates in the chain by attempting to look up valid CRLs. Normally if an unhandled critical extension is present which is not supported by OpenSSL the certificate is rejected (as required by RFC5280).
From verify documentation:
If a certificate is found which is its own issuer it is assumed to be the root CA.
In other words, root CA needs to be self signed for verify to work. This is why your second command didn't work. Try this instead:
openssl verify -CAfile RootCert.pem -untrusted Intermediate.pem UserCert.pem
It will verify your entire chain in a single command.
110
That's one of the few legitimate jobs for cat:
openssl verify -verbose -CAfile <(cat Intermediate.pem RootCert.pem) UserCert.pem
Update:
As Greg Smethells points out in the comments, this command implicitly trusts Intermediate.pem. I recommend reading the first part of the post Greg references (the second part is specifically about pyOpenSSL and not relevant to this question).
In case the post goes away I'll quote the important paragraphs:
Unfortunately, an "intermediate" cert that is actually a root / self-signed will be treated as a trusted CA when using the recommended command given above:
$ openssl verify -CAfile <(cat geotrust_global_ca.pem rogue_ca.pem) fake_sometechcompany_from_rogue_ca.com.pem fake_sometechcompany_from_rogue_ca.com.pem: OK
It seems openssl will stop verifying the chain as soon as a root certificate is encountered, which may also be Intermediate.pem if it is self-signed. In that case RootCert.pem is not considered. So make sure that Intermediate.pem is coming from a trusted source before relying on the command above.
45
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
