> From: owner-openssl-us...@openssl.org On Behalf Of sherry > Sent: Friday, 16 August, 2013 20:09
> Hi Dirk, > (This is an open list, so I'll answer.) <snip: genrsa and req -new -x509 for ca, genrsa and req -new and x509 -req for ca-int, genrsa and req -new and x509 -req for server> Aside: I hope you know RSA 1024 is now considered under some threat (though not actually broken), and not safe for a projected 10-year lifetime. > root@dev12042:~/cert# openssl verify -CAfile ca.crt > ca-int.crt server.crt > ca-int.crt: OK > server.crt: CN = server > error 20 at 0 depth lookup:unable to get local issuer certificate 'verify' validates each cert, individually, against only the specified or defaulted truststore. Your server.crt chains via ca-int.crt not directly to your ca.crt. Either: - concatenate ca.crt and ca-int.crt (and others if you like) into one file and use that for -CAfile. - put both ca.crt and ca-int.crt (and others if you like) in a directory with hash links or names and use for -CApath. - for this command only, add ca-int to the chain: openssl verify -CAfile ca.crt -untrusted ca-int.crt server.crt ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
