> On Jan 9, 2018, at 7:28 PM, Norm Green <norm.green@xxxxxxxxxxxxxxxxxx> wrote: > > It still doesn't verify correctly. Or correctly fails to verify? > To simplify, I tried it with 1 intermediate CA. Here's the chain: > > rootCa.pem - self-signed root cert. CN = rootCA > firstIntermedCa.pem - intermediate CA cert signed by rootCa.pem. CN = EmeaCA > secondIntermedCa.pem - intermediate CA cert signed by firstIntermedCa.pem. CN = KapitalCA Without the certificates (no private keys, just the certs) in question it quite difficult to offer much help. > openssl verify -verbose -show_chain -CAfile rootCa.pem -untrusted firstIntermedCa.pem secondIntermedCa.pem > 1.3.6.1.4.1.47749.1.1 = userCA, CN = KapitalCA > error 20 at 0 depth lookup: unable to get local issuer certificate > error secondIntermedCa.pem: verification failed In addition to posting the certificates in question, please post (again even if posted previously) what version of OpenSSL you're using, the output of: $ openssl version -a will suffice. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
