Categories:
Android (13)
Apple Mac (27)
DH Keys (39)
DSA Keys (71)
EC Keys (1853)
Firefox (30)
General (10)
Google Chrome (25)
Intermediate CA (152)
Java VM (29)
JDK Keytool (28)
Microsoft CertUtil (29)
Microsoft Edge (9)
Mozilla CertUtil (21)
OpenSSL (236)
Other (7)
Portecle (38)
Publishers (5374)
Revoked Certificates (16)
Root CA (85)
RSA Keys (4389)
Tools (46)
Tutorial (1)
What Is (22)
Windows (127)
Collections:
Other Resources:
OpenSSL "verify -untrusted" - Specify Untrusted Certificate
How to specify those intermediate CA certificates that form the signing chain for the server certificate for OpenSSl "verify" command? I have the certificate chain from the server saved in a file.
✍: FYIcenter.com
If you have the server certificate chain saved in a file,
you can provide it to the OpenSSL "verify" command using the "-untrusted" option
as shown below:
C:\Users\fyicenter>\local\openssl-win32\bin\openssl.exe OpenSSL> verify -untrusted twitter_chain.pem twitter.pem twitter.pem: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 Extended Validation Server CA error 20 at 1 depth lookup:unable to get local issuer certificate error in verify
The certification validation failed again with the same error: "unable to get local issuer certificate". But this time, it failed "at 1 depth lookup" instead of "at 0 depth lookup" as shown in the previous tutorial.
This tells us that the validation failed on locating the certificate of the issuer appeared on the intermediate CA certificate. To find out this issuer, we need to look at the content of the certificate chain file, "twitter_chain.pem".
C:\Users\fyicenter>type twitter_chain.pem CONNECTED(0000017C) --- Certificate chain 0 s:/businessCategory=Private Organization/jurisdictionC=US/jurisdictionST=... i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA -----BEGIN CERTIFICATE----- MIIHnTCCBoWgAwIBAgIQB3a13cqDpLnKWY9ddx+eRjANBgkqhkiG9w0BAQsFADB1 MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMTQwMgYDVQQDEytEaWdpQ2VydCBTSEEyIEV4dGVuZGVk ... -----END CERTIFICATE----- 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA -----BEGIN CERTIFICATE----- MIIEtjCCA56gAwIBAgIQDHmpRLCMEZUgkmFf4msdgzANBgkqhkiG9w0BAQsFADBs MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j ,,, -----END CERTIFICATE----- --- Server certificate ...
Looking the content of the certificate chain, we know that the issuer at 1 depth is "DigiCert High Assurance EV Root CA", which is a root CA.
⇒ Download Root CA Certificate
2012-07-24, 15227👍, 0💬
Popular Posts:
Certificate Summary: Subject: Google Internet Authority G2 Issuer: GeoTrust Global CA Expiration: 20...
How can I get a X.509 certificate file to play with OpenSSL commands "x509" command? If you have no ...
How to how generate a DER with a nested SEQUENCE ASN.1 structure using the OpenSSL "ans1parse" comma...
Where to find tutorials on using OpenSSL "genpkey" and "rsautl" commands for RSA private keys? Here ...
Certificate Summary: Subject: SwissSign Silver CA - G2 Issuer: SwissSign Silver CA - G2 Expiration: ...