[ Redirecting to openssl-users at openssl.org ]
On Tue, Apr 19, 2016 at 01:11:38AM +0000, CHOW Anthony wrote:
> I am trying to do ?openssl verify ?CAfile server.pem? and the command hang.
It is supposed to hang (reading standard input) when (incorrectly)
invoked this way. You've left out the CAfile filename. The correct
way to verify a certificate is:
$ trusted=ta.pem
$ untrusted=intermediate.pem
$ subject=server.pem
$ openssl verify -CAfile $trusted -untrusted $untrusted $subject
where
* "ta.pem" contains your trust-anchor (root CA) certificates,
* "intermediate.pem" contains any intermediate certificates needed to
build a trust path from a root down to the server certificate,
* "server.pem" contains the subject certificate to be verified.
Leave out the "-untrusted $untrusted" option if you're verifying
a certificate that is directly issued by a trust-anchor.
With a sufficiently recent version of OpenSSL replace "-CAfile
$trusted" with "-trusted $trusted" to make sure you're not
inadvertently using any of the default trust-anchors installed on
your system.
--
Viktor.
