Hi Michael, Your "rootcacert" is not a root cert, as it was issued by "C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN-USERFirst-Client Authentication and Email". You need to append that cert as well to your CAfile.
Erik .................................... Erik Tkal Juniper OAC/UAC/Pulse Development -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Michael Ströder Sent: Wednesday, November 03, 2010 12:23 PM To: openssl-users@openssl.org Subject: openssl verify fails HI! I'm feeling dumb since this simple command fails and I cannot see why: $ openssl verify -CAfile rootcacert.pem subcacert.pem subcacert.pem: C = DE, O = SCA Deutsche Post Com GmbH, CN = Signtrust CERT Root CA 1:PN error 2 at 1 depth lookup:unable to get issuer certificate I've attached the certs (publicly downloadable). I've checked subject-/issuer names and the subject and authority key ids. Maybe I'm still overlooking something obvious? Many thanks in advance. Ciao, Michael. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org