Why can't I verify this certificate chain?

certificate openssl

You don't have to cat the two certificates together in order to verify them.

If you have the following three certificates:

  • root.pem - stores a self-signed certificate.
  • intermediate.pem - stores a certificate signed by root.pem
  • john.pem - stores a certificate signed by intermediate.pem

And you trust only root.pem, then you would verify john.pem with the following command:

openssl verify -CAfile root.pem -untrusted intermediate.pem john.pem

It you had many intermediates, you could just chain -untrusted intermediate2.pem -untrusted intermediate3.pem ...


what @antiduh said only works for single intermediate certificate case for me. By adding more than one -untrusted intermediate.pem in the command seems not work. Not sure is it related to specific openssl version.

According to the openssl document: [https://linux.die.net/man/1/verify]

-untrusted file

A file of untrusted certificates. The file should contain multiple certificates

In my case I have a chain like: root.pem -> intermediate1.pem -> intermediate2.pem -> john.pem

by cat intermediate1.pem & intermediate2.pem into a single intermediate-chain.pem file and then run openssl verify -CAfile root.pem -untrusted intermediate-chain.pem john.pem works for me.

Also seems the in ca extension you need set basicConstraints = CA:true otherwise I still encounter openssl verify report error.

Related

Read Chrome browsing history within extension
Why GetDC function does not works?
google chrome extension for manipulating browsing history
warning using mockito-android
Why is 8099.99975f != 8100f?
How to name my file based on a randomly generated number?
SQL join performance operation order
How to install mpdf version to 7 instead of 8? [duplicate]
Observe LiveData instance in fragment and activity
Using vuex on Laravel 8 with Inertia Stack
How do I include gl-matrix?
Problem resizing plot on tkinter figure canvas