Hello Stephen, thank you for your comment that made the verification pass. But I'm a bit confused now.
Just as a demo I moved these certs to my windows computer and installed the Root CA into my current user's Trusted Root Certificate Authorities folder using the MMC certificates snap in. Then I double click the inter CA certificate and Windows says it's OK. But when I double click the users certificate it says that it doesn't have enough information to verify the certificate. This is strange to me, because I can visit lots of websites that I know I don't have the intermediate CA installed it all works. For instance I can visit gmail and it says the root is Class 3 Public Primary Certification Authority by Verisign, and I can see that it's installed in my windows Trusted Root Certificate Authorities. The next certificate is Thawte SGC CA which is no where in my Trusted Root Certificate Authorities and finally is mail.google.com and windows says it's valid. Am I missing some extension when I create the end user certificate or what part of this puzzle is escaping my grasp. On Fri, Jul 16, 2010 at 12:32 PM, Dr. Stephen Henson <st...@openssl.org>wrote: > On Thu, Jul 15, 2010, Hugo Garza wrote: > > > Hello All, I'm trying to get a basic root CA setup with an intermediate > CA > > to handle all the end user certificate signing. > > > > So far I've created a Root CA > > I created an intermediate CA and signed it's certificate with the Root CA > > I created an end user certificate and signed it with the intermediate CA. > > > > Now I want to be able to just import the Root CA and have all end user > > certificates be verified. > > > > I tried running: > > openssl verify -CAfile ../root/ca-cert.crt user.crt > > > > and it returns with > > error 20 at 0 depth lookup:unable to get local issuer certificate > > > > In a real world situation the user certificate and all intermediates would > be > presented and only the root CA trusted. With the verify command you'd do: > > openssl verify -CAfile root.pem -untrusted intermediate.pem user.pem > > where "intermediate.pem" has any intermediate CA certificates concatenated > together, just the one in your case. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >
