> On Aug 13, 2017, at 11:39 AM, Sudarshan Raghavan <sudarshan.t.raghavan@xxxxxxxxx> wrote: > > 3. openssl verify -CAfile <root ca> <chain containing leaf, intermediate ca 2, intermediate ca 1 and root ca in that order>. This fails with this error > > "error 20 at 0 depth lookup: unable to get local issuer certificate > error leafchain.pem: verification failed" > > I understand the reason for this is, the issuer of leaf certificate (intermediate ca 2) is not part of the trusted chain. Actually, that's not the reason. The positional [certificates] arguments to verify(1) are not "chains". Only the first (leaf) certificate of each of the argument files is processed. To import additional chain elements use the [-untrusted file] argument to provide additional untrusted certificates with which to build the chain. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
