Menu
I'm trying to validate a client certificate on an OCSP server but it fails.
This is the command that I'm trying to run:
openssl ocsp -issuer test_ca_cert.pem -cert my_test_client_cert.pem -text -url http://demo.server.com/ocsp
This is the output:
OCSP Request Data:
...
OCSP Response Data:
....
Certificate:
...
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
Response Verify Failure
140530622551704:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:ocsp_vfy.c:138:Verify error:unable to get local issuer certificate
my_test_client_cert.pem: good
This Update: Jan 17 15:56:46 2017 GMT
I checked that the Issuer in my client cert is the same as the one in test_ca_cert.pem.
What am I doing wrong? How can I fix this?
Thank you
310
Here they say: OpenSSL is unable to find a local certificate for the issuer (or the issuer of the first certificate in the chain received from the web server during the TLS handshake) with which to verify the signature (s). Not sure what that means. This error means the certificate path or chain is broken and you are missing certificate files.
How to Fix “Unable to get Local Issuer SSL Certificate” Error? 1 About SSL Errors. ... 2 Reason for “Unable To Get Local Issuer Certificate” Error. ... 3 Solutions to fix “Unable To Get Local Issuer Certificate” Error. ... 4 Unidentified Self Signed SSL Certificate. ... 5 No Change in PHP.Ini (Keep SSL) More items...
Upon failing to find an untrusted issuer cert, OpenSSL switches to the trusted certificate store and continues building the chain. This process stops when an issuer is not found in the trusted store. a self-signed certificate is encountered.
Most Git users experience the ‘SSL certificate problem: unable to get local issuer certificate’ or the ‘git SSL certificate problem unable to get local issuer certificate’ error at some point in time.
Using -CAfile as @pedrofb suggested worked for me, but neither with the root nor with the intermediate certificate, but with the root and the intermediate bundled together (i.e. cat root.pem intermediate.pem > bundle.pem):
openssl ocsp \
-CAfile root.cert.pem \
-issuer intermediate.cert.pem \
-cert server.cert.pem \
-text \
-url http://ocsp.example.com
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
