Re: certificate chains and verification requirements

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



>> Actually, that's not the reason.  The positional [certificates]
>> arguments to verify(1) are not "chains".  Only the first (leaf)
>> certificate of each of the argument files is processed.

Ok, that makes sense. Thanks for the update. I was trying this experiment to understand a client authentication failure in a similar scenario. I can now look at the code to figure out what is going on.

Regards,
Sudarshan

On Sun, Aug 13, 2017 at 9:49 AM, Viktor Dukhovni <openssl-users@xxxxxxxxxxxx> wrote:

> On Aug 13, 2017, at 11:39 AM, Sudarshan Raghavan <sudarshan.t.raghavan@gmail.com> wrote:
>
> 3. openssl verify -CAfile <root ca> <chain containing leaf, intermediate ca 2, intermediate ca 1 and root ca in that order>. This fails with this error
>
> "error 20 at 0 depth lookup: unable to get local issuer certificate
> error leafchain.pem: verification failed"
>
> I understand the reason for this is, the issuer of leaf certificate (intermediate ca 2) is not part of the trusted chain.

Actually, that's not the reason.  The positional [certificates]
arguments to verify(1) are not "chains".  Only the first (leaf)
certificate of each of the argument files is processed.

To import additional chain elements use the [-untrusted file]
argument to provide additional untrusted certificates with
which to build the chain.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux