On Wed, 2022-12-21 at 17:26 +0000, Bala Duvvuri via openssl-users wrote: > I have a concatenated file containing root CA and intermediate CA > (say concat.pem, having the 2 CA certificates) copied to a directory > say "ca" > > I have a entity certificate (cert1) signed by above intermediate CA > (say inter.pem) > > The observation is > > This command works : openssl verify -CAfile ca/concat.pem cert1 > > This command does not work: openssl verify -CApath ca cert1 ((ca > directory has concat.pem in hash.0 format)) > But if we copy the intermediate CA as well to the ca/ directory, the > above command works Because the -CApath option expects each of the CA certificates to be placed in the ca directory in a separate file with the hash.x symlink. Basically the second certificate in the concat.pem file is ignored if placed in -CApath directory. -- Tomáš Mráz, OpenSSL
