certificate chains and verification requirements

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello OpenSSL users,

I have this certificate chain, root ca -> intermediate ca 1 -> intermediate ca 2 -> leaf certificate. With this chain, I attempted combinations of openssl verify commands to understand how it works with certificate chains.

1. openssl verify -CAfile <chain containing certificates of intermediate ca 2, intermediate ca 1 and root ca in that order> <leaf certificate>. This verifies ok as expected.
2. openssl verify -CAfile <same ca chain as in 1> <chain containing leaf, intermediate ca 2, intermediate ca 1 and root ca in that order>. This verifies ok as expected.
3. openssl verify -CAfile <root ca> <chain containing leaf, intermediate ca 2, intermediate ca 1 and root ca in that order>. This fails with this error

"error 20 at 0 depth lookup: unable to get local issuer certificate
error leafchain.pem: verification failed"

I understand the reason for this is, the issuer of leaf certificate (intermediate ca 2) is not part of the trusted chain. But, the leaf chain has all the certificates to root ca and root ca is the trusted CA I am verifying against. I thought this would verify ok but, I am clearly wrong. I can pass in the intermediate ca certificates using -untrusted option and it will work. But, I was stumped by 3 and I am curious to know if there is a document or rfc section explaining the behaviour. I have been trying to search for something and I am clearly doing a bad job of it cause I have not been able to find any.

Regards,
Sudarshan
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux