On Mon, Aug 26, 2002, Olaf Zaplinski via RT wrote: > > OpenSSL self-test report: > > OpenSSL version: 0.9.6g > Last change: [In 0.9.6g-engine release:]... > Options: no-idea --prefix=/usr/local --openssldir=/usr/local/ssl > no-threads shared > OS (uname): Linux binky 2.4.19 #1 Fri Aug 9 10:17:44 CEST 2002 i586 > unknown > OS (config): i586-whatever-linux2 > Target (default): linux-elf > Target: linux-elf > Compiler: gcc version 2.95.3 20010315 (release) > > > Hi all, > > openssl x509 -purpose -in /etc/certs/foo.pem says: > > Certificate purposes: > SSL client : No > SSL client CA : No > SSL server : Yes > SSL server CA : No > Netscape SSL server : Yes > Netscape SSL server CA : No > S/MIME signing : No > S/MIME signing CA : No > S/MIME encryption : No > S/MIME encryption CA : No > CRL signing : Yes > CRL signing CA : No > Any Purpose : Yes > Any Purpose CA : Yes > > > But > openssl verify -verbose -CAfile /etc/certs/ca.pem /etc/certs/foo.pem says: > 'error 20 at 0 depth lookup:unable to get local issuer certificate' >
What that is saying is that the it can't find the CA certificate of foo.pem in ca.pem. This could be because it doesn't contain the certificate or it could be a bug. Why dont' you include the contents of files foo.pem and cacert.pem? You can also try the -issuer_checks option to see why it is rejecting any candidate CA certificates. Steve. -- Dr. Stephen Henson [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~steve/ ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
