> From: owner-openssl-us...@openssl.org On Behalf Of Brian Reichert > Sent: Monday, 11 April, 2011 11:03
> I was hoping to get a better understanding of how to use 'verify' > to verify server certificates. > > Om my CentOS host, I can direct 's_client' to use the default > CA certificate store to to collect a Google SSL certificate, and this > passes a verify check: > > # openssl s_client -CApath /etc/pki/tls/cert.pem \ > -connect www.google.com:443 < /dev/null > out.google.pem <snip> > If I try to re-verify this certificate, though, it fails: > > # openssl verify -verbose -CAfile /etc/pki/tls/cert.pem \ > -purpose sslserver -issuer_checks out.google.pem > Is /etc/pki/tls/cert.pem a file or a directory? -CApath and -CAfile are different. Use the right one. Also note that the output from -issuer_checks is very likely to be misleading, so generally it's better not to use it. But your likely problem is this cert uses an intermediate cert /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA . If that intermediate cert is not in your (packaged) truststore, s_client can verify because google sent it, but verify can't because verify gets only the entity cert you give it unless you also specify -untrusted. Do s_client with -showcerts and you'll see you get both the entity cert for google and this intermediate cert. Either: put the intermediate cert in a file and give it to -untrusted; or put it in the truststore you use. If your /etc/pki/blah is managed by a package manager you probably shouldn't modify it, so you would need to make a copy of the relevant part, at minimum just a file containing the Verisign root and the intermediate. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
