Thank you, the certificate was verified as valid. As far as the CAPATH command, is it literally called "CAPATH"? because I couldn't find any reference to it in the openssl documentation.
Carlo -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Duncan Berriman Sent: Thursday, July 09, 2009 3:18 PM To: openssl-users@openssl.org Subject: Re: " unable to get local issuer certificate" & certificate not trusted errors Its likely that the certificate is not installed correctly and that the person who installed it did not install the intermediate CA which comes with it. This isn't always obvious and doesn't usually cause a problem unless it is the first site the visitor has visited that uses that intermediate CA. Most suppliers have a utility (online) to check that certificates are installed correctly so I'd advise you go to equifax's site and run their test against the site/server concerned. If thats ok then it may be you need to specify CAPATH on the openssl command to the appropriate directory. Duncan On 9 Jul 2009, at 21:20, Agopian, Carlo wrote: > Hello, > > I'm getting the same error 20 as below for a different site. I did > find > out that the certificate issuer is Equifax Secure Certificate > Authority. > Obviously this is not one of the popular CA's such as > thawte,verisign,etc. Is this my problem? If so how do I tell > openssl to > recognize this CA? Following is my entire error for your reference. > Thanks in advance for your help. > >> openssl s_client -quiet -connect 12.175.11.57:443 > depth=0 > /C=US/ST=Wisconsin/L=Madison/O=Integrasys/OU=Madison/ > CN=model.goxroads.c > om > verify error:num=20:unable to get local issuer certificate > verify return:1 > depth=0 > /C=US/ST=Wisconsin/L=Madison/O=Integrasys/OU=Madison/ > CN=model.goxroads.c > om > verify error:num=27:certificate not trusted > verify return:1 > depth=0 > /C=US/ST=Wisconsin/L=Madison/O=Integrasys/OU=Madison/ > CN=model.goxroads.c > om > verify error:num=21:unable to verify the first certificate > verify return:1 > > Carlo > > -----Original Message----- > From: owner-openssl-us...@openssl.org > [mailto:owner-openssl-us...@openssl.org] On Behalf Of Saju Paul > Sent: Friday, February 01, 2008 10:39 AM > To: openssl-users@openssl.org > Subject: RE: " unable to get local issuer certificate" & > certificate not > trusted errors > Importance: High > > who is the signer of certificate newcert.pem ? is it a self-signed > certificate ? it should not be. newcert.pem should be signed by a > trusted > CA (thawte,verisign,godaddy etc.) or by a CA that is in google/gmail's > CA > repository. > -----Original Message----- > From: owner-openssl-us...@openssl.org > [mailto:owner-openssl-us...@openssl.org]on Behalf Of gopinath ethiraja > Sent: Friday, February 01, 2008 5:11 AM > To: openssl-users@openssl.org; openssl-...@openssl.org > Subject: " unable to get local issuer certificate" & certificate not > trusted errors > > > I tried to connect to a server using s_client command .but i get an > error stating > > " unable to get local issuer certificate" & also > it gives certificate not trusted " > > how to overcome this errors > > C:\OpenSSL\bin>openssl s_client -connect gmail.com:443 -verify 3 -cert > newcert.p > em -key newkey.pem -CAfile cacert.pem -state > verify depth is 3 > Enter pass phrase for newkey.pem: > Loading 'screen' into random state - done > CONNECTED(000002D4) > SSL_connect:before/connect initialization > SSL_connect:SSLv2/v3 write client hello A > SSL_connect:SSLv3 read server hello A > depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA > verify error:num=20:unable to get local issuer certificate > verify return:1 > depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA > verify error:num=27:certificate not trusted > verify return:1 > depth=0 /C=US/ST=California/L=Mountain View/O=Google > Inc/CN=mail.google.com > verify return:1 > SSL_connect:SSLv3 read server certificate A > SSL_connect:SSLv3 read server done A > SSL_connect:SSLv3 write client key exchange A > SSL_connect:SSLv3 write change cipher spec A > SSL_connect:SSLv3 write finished A > SSL_connect:SSLv3 flush data > SSL_connect:SSLv3 read finished A > --- > Certificate chain > 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/ > CN=mail.google.com > i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA > 1 s:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA > i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification > Authority > --- > Server certificate > -----BEGIN CERTIFICATE----- > MIIDIjCCAougAwIBAgIQeGJdG+ZuLrAZgPwP49qYUTANBgkqhkiG9w0BAQUFADBM > MQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg > THRkLjEWMBQGA1UEAxMNVGhhd3RlIFNHQyBDQTAeFw0wNzA1MDMxNTM0NThaFw0w > ODA1MTUxNzI0MDFaMGkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh > MRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRgw > FgYDVQQDEw9tYWlsLmdvb2dsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ > AoGBAMnUudLUhHv3cpy0A47K38oOYK9CeH93UMzH1QA/FYwwhRrcEkQjwSrddNqF > RLBJMv+KWKFbMbTzMSR69VQCJJ26cKSOg95hhuIsRf6Y8MRfynWK4nfun8ubF8If > LfISfrzTX8/nw8jmtL0zaNNSCZWs6UNzptkK085tRO2KoeZ5AgMBAAGjgecwgeQw > KAYDVR0lBCEwHwYIKwYBBQUHAwEGCCsGAQUFBwMCBglghkgBhvhCBAEwNgYDVR0f > BC8wLTAroCmgJ4YlaHR0cDovL2NybC50aGF3dGUuY29tL1RoYXd0ZVNHQ0NBLmNy > bDByBggrBgEFBQcBAQRmMGQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLnRoYXd0 > ZS5jb20wPgYIKwYBBQUHMAKGMmh0dHA6Ly93d3cudGhhd3RlLmNvbS9yZXBvc2l0 > b3J5L1RoYXd0ZV9TR0NfQ0EuY3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEF > BQADgYEA1JrSolCBCddemVIF/FzhGsN1eTFA0JwgzL+D4u65Ua+PeqzMnrG08+rQ > OwzgNZPI6ld6IxVCQ2GkDU8VURk30vU26WucB+ImS+pC3ENSSmliB6U1CScu2QL4 > A1p1sGdz+bOeovdw2XAOrQYMMCXT0hJZ++bTUhrijxqkaSdRePU= > -----END CERTIFICATE----- > subject=/C=US/ST=California/L=Mountain View/O=Google > Inc/CN=mail.google.com > issuer=/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA > --- > No client certificate CA names sent > --- > SSL handshake has read 1778 bytes and written 322 bytes > --- > New, TLSv1/SSLv3, Cipher is AES256-SHA > Server public key is 1024 bit > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : TLSv1 > Cipher : AES256-SHA > Session-ID: > 78B1A16CBC8BFA005701E93ABC140387DEEC3CB62CB4396265BB4CD6490A9FEE > > Session-ID-ctx: > Master-Key: > 55DF03F5380E46145D0673EB66A82201810AC9E4CA82A7BD8E4DA4CCE34AB589 > C9C79C560951DFF731B26A537A43DC11 > Key-Arg : None > Start Time: 1201860116 > Timeout : 300 (sec) > Verify return code: 27 (certificate not trusted) > --- > read:errno=0 > SSL3 alert write:warning:close notify > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
