Re: Question about intermediate certificate chain

Tue, 21 May 2013 17:59:23 -0700 

That is what I have when I don't include the intermediate in the command:

openssl s_client -connect 10.10.10.10:443 -verify 5 -state -showcerts
verify depth is 5
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=0 /serialNumber=Tf20oDIbWDBfuhDWLEg4DfACRMOBnxA4/C=US/ST=Minnesota/L=Prior
Lake/O=ACME, INC/CN=www.acme.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /serialNumber=Tf20oDIbWDBfuhDWLEg4DfACRMOBnxA4/C=US/ST=Minnesota/L=Prior
Lake/O=ACME, INC/CN=www.acme.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /serialNumber=Tf20oDIbWDBfuhDWLEg4DfACRMOBnxA4/C=US/ST=Minnesota/L=Prior
Lake/O=ACME, INC/CN=www.acme.com
verify error:num=21:unable to verify the first certificate
verify return:1

And this one when I include the two intermediate at cacerts.pem.

openssl s_client -connect 10.10.10.10:443 -verify 5 -CAfile
cacerts.pem -showcerts
verify depth is 5
CONNECTED(00000003)
depth=3 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
verify return:1
depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
verify return:1
depth=1 /C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
verify return:1
depth=0 /serialNumber=Tf20oDIbWDBfuhDWLEg4DfACRMOBnxA4/C=US/ST=Minnesota/L=Prior
Lake/O=ACME, INC/CN=www.acme.com
verify return:1
---
Certificate chain
 0 s:/serialNumber=Tf20oDIbWDBfuhDWLEg4DfACRMOBnxA4/C=US/ST=Minnesota/L=Prior
Lake/O=ACME, INC/CN=www.acme.com
   i:/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA



On Tue, May 21, 2013 at 7:26 PM, Wim Lewis <w...@omnigroup.com> wrote:
>
> On 21 May 2013, at 5:02 PM, Jorge Ventura wrote:
>> Because the client trust the connection when I inform the
>> intermediate, I suppose the server is not sending the intermediate,
>> only the first certificate in the chain and in this case the command
>> fail.
>
> That is a reasonable conclusion. You can check for sure using the 
> "-showcerts" option to openssl s_client.
>
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    openssl-users@openssl.org
> Automated List Manager                           majord...@openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to