> On Jan 9, 2018, at 5:55 PM, Norm Green <norm.green@xxxxxxxxxxxxxxxxxx> wrote: > > Same result. The only way it seems to work is if the leaf cert appears at the end of the file. You're badly mistaken. *ONLY* the first certificate in the file is verified. When you put the leaf cert at the end, you're *ONLY* verifying the top-most issuer CA certificate. The correct way to verify a chain is to put the root CA in a CAfile, intermediate CAs in an "untrusted" chain file, and the leaf cert all by itself in a separate file. As explained upstream. If that's not working, then perhaps your chain is actually incomplete or otherwise does not satisfy all the requirements. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
