On 7/2/06, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote:
On Sun, Jul 02, 2006, snacktime wrote:
>
> openssl verify -CAfile chain.pem test.cer
> test.cer: /CN=test/OU=test/O=test/ST=test/emailAddress=test/C=test
> error 20 at 0 depth lookup:unable to get local issuer certificate
>
That means it can't find the CA that signed test.csr. That could be because
its the wrong CA in "chain.pem" or the names don't match or there is an
extension issue.
Forgive my ignorance, but what names have to match? That might be
where I am going wrong, because I'm not sure what you mean:)
>
> So anyways I am at a loss as to how to debug this further. I'd be
> happy to post the certificates in question if that helps.
>
Yes that would help, please post them.
Here is the root ca:
-----BEGIN CERTIFICATE-----
MIIEOTCCA6KgAwIBAgIBADANBgkqhkiG9w0BAQQFADCByjELMAkGA1UEBhMCVVMx
EzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1NlYXR0bGUxGzAZBgNVBAoT
ElBheW1lbnQgT25saW5lIEluYzEmMCQGA1UECxMdQ2VydGlmaWNhdGUgU2Vydmlj
ZXMgRGl2aXNpb24xIzAhBgNVBAMTGlBheW1lbnQgT25saW5lIEluYyBSb290IENB
MSowKAYJKoZIhvcNAQkBFhtjZXJ0YWRtaW5AcGF5bWVudG9ubGluZS5jb20wHhcN
MDIwNDEzMTkxMTQwWhcNMjkwODI5MTkxMTQwWjCByjELMAkGA1UEBhMCVVMxEzAR
BgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1NlYXR0bGUxGzAZBgNVBAoTElBh
eW1lbnQgT25saW5lIEluYzEmMCQGA1UECxMdQ2VydGlmaWNhdGUgU2VydmljZXMg
RGl2aXNpb24xIzAhBgNVBAMTGlBheW1lbnQgT25saW5lIEluYyBSb290IENBMSow
KAYJKoZIhvcNAQkBFhtjZXJ0YWRtaW5AcGF5bWVudG9ubGluZS5jb20wgZ8wDQYJ
KoZIhvcNAQEBBQADgY0AMIGJAoGBANMOmsQee6bNyH36d7c/3fNYcMArLcwwEFQW
morfaOc1AhX/sRT4XoP4QE88fkgCFZLOEvHnJlYGjokWyzT5gZfir7fRexcd9VIL
TFsyH8OtG9ewvLL88hk5uYKsKArlk3wNsk6NRFfXb0MjgYP0/aaTTip8MH1wbfSV
jqGzvzYTAgMBAAGjggErMIIBJzAdBgNVHQ4EFgQU4L+mQwd14jvc5v+u+aDDSMDj
FewwgfcGA1UdIwSB7zCB7IAU4L+mQwd14jvc5v+u+aDDSMDjFeyhgdCkgc0wgcox
CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdTZWF0
dGxlMRswGQYDVQQKExJQYXltZW50IE9ubGluZSBJbmMxJjAkBgNVBAsTHUNlcnRp
ZmljYXRlIFNlcnZpY2VzIERpdmlzaW9uMSMwIQYDVQQDExpQYXltZW50IE9ubGlu
ZSBJbmMgUm9vdCBDQTEqMCgGCSqGSIb3DQEJARYbY2VydGFkbWluQHBheW1lbnRv
bmxpbmUuY29tggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAqNDg
FofD9ij1LQt2KT3r2tkBOFsnf9/lSxwksI4c8ywDe99BkKYImsqvAPf7emm99BU/
rxfI668TrHLkM0APJc5CAFe2wMH/MdL4zOgdgcPRo16ML5Xu/30eX4xRo1/VU7Ke
ahGXASk8rICVIv5/KlQZfSP0qLUDm6acuMO7abo=
-----END CERTIFICATE-----
Client certificate that verfies:
-----BEGIN CERTIFICATE-----
MIIFOzCCBKSgAwIBAgIDGDcqMA0GCSqGSIb3DQEBBAUAMIHPMQswCQYDVQQGEwJV
UzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHU2VhdHRsZTEbMBkGA1UE
ChMSUGF5bWVudCBPbmxpbmUgSW5jMSQwIgYDVQQLExtDbGllbnQgQ2VydGlmaWNh
dGUgU2VydmljZXMxKjAoBgNVBAMTIVBheW1lbnQgT25saW5lIENsaWVudCBTZXJ2
aWNlcyBDQTEqMCgGCSqGSIb3DQEJARYbY2VydGFkbWluQHBheW1lbnRvbmxpbmUu
Y29tMB4XDTA1MDIxNzE2NTYxNFoXDTA4MDIxNzE2NTYxNFowgaoxCzAJBgNVBAYT
AlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdTZWF0dGxlMRswGQYD
VQQKExJQYXltZW50IE9ubGluZSBJbmMxDTALBgNVBAsTBHBvaTIxIDAeBgNVBAMU
F2NocmlzQHBheW1lbnRvbmxpbmUuY29tMSYwJAYJKoZIhvcNAQkBFhdjaHJpc0Bw
YXltZW50b25saW5lLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AL4jZFpQ7peMG4b9PLaVV3fgBCJnqrVzgVKi6Kj0Ar91e69XVESpD9TcRY0Z1yiA
v2QTjac8s1rDw+qV71yPcUN7ZmII9GIeUWYtuwozHMNTDwEEukwuVa0mS25XM7Zq
8HTMMwYIFyDcHvbm73/wTRlwq5xjE1x68rgudrGzRNhRJUXD4mBmHPSB2ys69pht
tKEIBrWICccXZw6eNoT6O4ySb+numVgNVa3M2gfeBBuN2ClVWkK7QwyvyxUjdqaq
evYhBefzuGsRhifE8UF/+cpOIN7my4oRDsbazPbN0diXecP3BJHxjALyAFlzLqro
VqPiM/Q8KnSIwc3CEc8eIhUCAwEAAaOCAcIwggG+MAkGA1UdEwQCMAAwCwYDVR0P
BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAdBgNVHQ4EFgQU
sZMUm3ug6SU9NKLSRCeoXuE1dtIwgfcGA1UdIwSB7zCB7IAUW2+s41JHF42I7kaW
kLx4MNaBA8mhgdCkgc0wgcoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5n
dG9uMRAwDgYDVQQHEwdTZWF0dGxlMRswGQYDVQQKExJQYXltZW50IE9ubGluZSBJ
bmMxJjAkBgNVBAsTHUNlcnRpZmljYXRlIFNlcnZpY2VzIERpdmlzaW9uMSMwIQYD
VQQDExpQYXltZW50IE9ubGluZSBJbmMgUm9vdCBDQTEqMCgGCSqGSIb3DQEJARYb
Y2VydGFkbWluQHBheW1lbnRvbmxpbmUuY29tggEBMCIGA1UdEQQbMBmBF2Nocmlz
QHBheW1lbnRvbmxpbmUuY29tMEgGA1UdHwRBMD8wPaA7oDmGN2h0dHA6Ly9wYXln
dy5zZWEucGF5bWVudG9ubGluZS5jb20vQ2xpZW50Q0EvY3JsL2NybC5wZW0wDQYJ
KoZIhvcNAQEEBQADgYEAXXQUHWHGljoyLwDO1qnLohAseHnrtP6t6RcAsKCiFglE
9OX8W+FuUrVGLaMRuPzNWmbxJJNozZQp3ZpABr+rfjg72J1S3bAT9nd58YIocBm0
ld8ivx0MejZfpzkLrJJxBOREBEMvyho6Q6LxGE+x3pe9S9ejUtyD8kD5fMoKp24=
-----END CERTIFICATE-----
Client certificate that does not verify:
-----BEGIN CERTIFICATE-----
MIIEBTCCA26gAwIBAgIBAzANBgkqhkiG9w0BAQUFADCByjELMAkGA1UEBhMCVVMx
EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxGzAZBgNVBAoM
ElBheW1lbnQgT25saW5lIEluYzEmMCQGA1UECwwdQ2VydGlmaWNhdGUgU2Vydmlj
ZXMgRGl2aXNpb24xIzAhBgNVBAMMGlBheW1lbnQgT25saW5lIEluYyBSb290IENB
MSowKAYJKoZIhvcNAQkBFhtjZXJ0YWRtaW5AcGF5bWVudG9ubGluZS5jb20wHhcN
MDYwNzAyMjIwMzM2WhcNMDcwNzAyMjIwMzM2WjBgMQwwCgYDVQQDDANGb28xDDAK
BgNVBAsMA0ZvbzEMMAoGA1UECgwDRm9vMQswCQYDVQQIDAJXQTEaMBgGCSqGSIb3
DQEJARYLZm9vQGZvby5vcmcxCzAJBgNVBAYTAlVTMIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQDFULl9nMJYkJqEcIWOI6tF3ir5H1bNURG9bJzp1cp7toAB6TzB
15fWg8OdUa23N6JkCipZMHa6lb51vbfosgccBiRhqoOoDCoIm2/A1qLuG4PyyXim
k2wLp/fdREprNozF3lISoHG3+x8hqj5AlM7U67wmGm/I0ZblyfGjW3fK6wIDAQAB
o4IBYjCCAV4wCQYDVR0TBAIwADAdBgNVHQ4EFgQU2jmj7l5rSw0yVb/vlWAYkK/Y
BwkwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMBYGA1UdEQQPMA2B
C2Zvb0Bmb28ub3JnMIH3BgNVHSMEge8wgeyAFOC/pkMHdeI73Ob/rvmgw0jA4xXs
oYHQpIHNMIHKMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4G
A1UEBxMHU2VhdHRsZTEbMBkGA1UEChMSUGF5bWVudCBPbmxpbmUgSW5jMSYwJAYD
VQQLEx1DZXJ0aWZpY2F0ZSBTZXJ2aWNlcyBEaXZpc2lvbjEjMCEGA1UEAxMaUGF5
bWVudCBPbmxpbmUgSW5jIFJvb3QgQ0ExKjAoBgkqhkiG9w0BCQEWG2NlcnRhZG1p
bkBwYXltZW50b25saW5lLmNvbYIBADANBgkqhkiG9w0BAQUFAAOBgQAqq25CCOHN
AHlwWsKPbxKwWREKPFFDx73D6Fpj0nYFVe//tRNUQCFLlzFs+DeUp1x1SSMAqyCd
/ero5PaJwEXsTrAUtsC0lHYvZfCIP0le2D1jMsFy18uw4WzZRPy2sWtlQ9MKcwVH
bjDpJl7H+yHg3taMfe84IKad4iaqrp+bMA==
-----END CERTIFICATE-----
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
