Re: It reported verify error:num=20:unable to get local issuer certificate in my embedded linux device, when I used the openssl command

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



 Hi Michael & opensslers,

> So: either there's more than one certificate in cacert-2016-11-02.pem, or OpenSSL on the PC is searching its default CA certificate directory in addition to cacert-2016-11-02.pem. Since we don't know what's > actually in cacert-2016-11-02.pem, we can't provide much further help.

It seems there are many certificates in the cacert-2016-11-02.pem. A lot.
---------------------cacert-2016-11-02.pem------------

GlobalSign Root CA
==================
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

GlobalSign Root CA - R2
=======================
-----BEGIN CERTIFICATE-----
..
-----END CERTIFICATE-----

Verisign Class 3 Public Primary Certification Authority - G3
============================================================
-----BEGIN CERTIFICATE-----
....
-----END CERTIFICATE-----

Entrust.net Premium 2048 Secure Server CA
=========================================
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

Baltimore CyberTrust Root
=========================
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

......so on...........

--------------------------------------------------------------


> Note that if there are multiple certificates in cacert-2016-11-02.pem, you'll have to split them up into separate files and create the correct hash link for each one, if you want to use a certificate directory.

Should I need to do this? >"<
Because other people(in the internet) used this pem file, have no problem. They didn't  separate it. And there are so many certificates.
And is this step right ? 
1. /tmp # ./openssl x509 -hash -fingerprint -noout -in /home/georgeyang/workspace/speech_code/openssl/openssl/final/certs/cacert-2016-11-02.pem
     5ad8a5d6
     SHA1 Fingerprint=B1:BC:96:8B:D4:F4:9D:62:2A:A8:9A:81:F2:15:01:52:A4:1D:82:9C
2. /etc/ssl/certs # ln -s /home/georgeyang/workspace/speech_code/openssl/openssl/final/certs/cacert-2016-11-02.pem 5ad8a5d6.0
I will split them like this later.

> Did you actually capture that, or did you retype it? Because it's not valid openssl x509 output. Note that it doesn't match what you reported from the PC:
In the paltform, the openssl version is 1.1.0c.
And in my PC, the openssl version is 1.0.1f.
Today, I have rebuild the openssl1.0.1f for my paltform again.
Although it was still NG.
And the log is the same as the PC now:
/tmp # ./openssl x509 -subject -noout -in /home/georgeyang/workspace/speech_code
/openssl/final/openssl/certs/cacert-2016-11-02.pem 
subject= /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
/tmp # 

Thank you very much 
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux