>> Actually, that's not the reason. The positional [certificates] >> arguments to verify(1) are not "chains". Only the first (leaf) >> certificate of each of the argument files is processed.
Ok, that makes sense. Thanks for the update. I was trying this experiment to understand a client authentication failure in a similar scenario. I can now look at the code to figure out what is going on. Regards, Sudarshan On Sun, Aug 13, 2017 at 9:49 AM, Viktor Dukhovni <openssl-us...@dukhovni.org > wrote: > > > On Aug 13, 2017, at 11:39 AM, Sudarshan Raghavan < > sudarshan.t.ragha...@gmail.com> wrote: > > > > 3. openssl verify -CAfile <root ca> <chain containing leaf, intermediate > ca 2, intermediate ca 1 and root ca in that order>. This fails with this > error > > > > "error 20 at 0 depth lookup: unable to get local issuer certificate > > error leafchain.pem: verification failed" > > > > I understand the reason for this is, the issuer of leaf certificate > (intermediate ca 2) is not part of the trusted chain. > > Actually, that's not the reason. The positional [certificates] > arguments to verify(1) are not "chains". Only the first (leaf) > certificate of each of the argument files is processed. > > To import additional chain elements use the [-untrusted file] > argument to provide additional untrusted certificates with > which to build the chain. > > -- > Viktor. > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users >
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
