On 18/05/2016 21:38, Walter H. wrote: > On 18.05.2016 21:10, Viktor Dukhovni wrote: >>> On May 18, 2016, at 1:26 PM, Walter H.<Walter.H at mathemainzel.info> >>> wrote: >>> >>> openssl verify -CAfile /etc/pki/tls/certs/ca-bundle.trust.crt >>> -trusted_first -untrusted /tmp/chain.pem /tmp/cert.pem >>> >>> /tmp/chain.pem contains a root certificate >>> /tmp/cert.pem contains a certificate that was signed by this root >>> certificate; >>> >>> I get the following output >>> >>> /tmp/cert.pem: CN = ..., O = ..., ST = ..., C = ... >>> error 19 at 1 depth lookup:self signed certificate in certificate chain >>> >>> of couse the number 19 means 'self signed certificate in certificate >>> chain' >>> as shown here: https://www.openssl.org/docs/manmaster/apps/verify.html >>> >>> but what does the number 1 (at ... depth) say? >> It means that while constructing a chain, the immediate issue of the >> leaf certificate was an untrusted self-signed certificate. The leaf >> certificate has depth 1, its issuer has depth 0. >> > Ah, ok; in case there had been a chain with 3 certificates > 2 means the leaf certificate, 1 means the issuing intermediate and 0 > means the self signed root? No, 0 is always the leaf, 1 is always the issuer of the leaf 2 is always the issuer of the issuer of the leaf etc. So for a chain with 3 certificates, 2 is the root. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded
