Olaf Gellert wrote:
Tim Traver wrote:
openssl verify -purpose sslserver cert.crt
where cert.crt is the cert and its CAcert and the root cert in pem
format...this is done on the command line, and it always gives me this
error :
error 20 at 0 depth lookup:unable to get local issuer certificate
and I'm not sure what that really means...do I need to specify valid
root certs? am I calling this wrong???
OpenSSL starts with the server certificate and tries
to validate up to the root certificate. So it has to
get the issuer certificate of the server certificate
to be able to check the signature. This validation
process goes up to the (self-signed) root certificate.
It seems that OpenSSL does not look for the issuer
certificates in "server.crt", but in the file
specified with "-CAfile". So to check a certificate
in file "server.crt", put the CA certificates up
to the root in "cafile.pem" and call
openssl verify -purpose sslserver -CAfile cafile.pem server.crt
Regards, Olaf
Thank you Olaf, as that appears to solve my issue,
Tim.
