openssl verify - error 20 at 0 depth lookup:unable to get local issuer certificate

spaghi picture spaghi · Apr 26, 2013 · Viewed 79.9k times · Source

i created a PEM certificate from a PFX certificate and wanted to verify it. However i ran into this issue, try to find some answers, but i didnt and therefore i dont know how to fix it. could you please advice? thank you very much.

C:\OpenSSL-Win32\bin>set OPENSSL_CONF=C:\OpenSSL-Win32\bin\openssl.cfg

C:\OpenSSL-Win32\bin>openssl
OpenSSL> verify C:\mycert.pem
C:\mycert.pem: C = CZ, ST = Sprava zakladnich registru, L = "Obec=Praha,Ulice=Na Vapence,PSC=13000", O = 72054506, OU = 4333, CN = tstcawilly.szr.local
error 20 at 0 depth lookup:unable to get local issuer certificate
error in verify
OpenSSL>
OpenSSL> verify -CAfile C:\mycert.pem C:\mycert.pem
C:\mycert.pem: C = CZ, ST = Sprava zakladnich registru, L = "Obec=Praha,Ulice=Na Vapence,PSC=13000", O = 72054506, OU = 4333, CN = tstcawilly.szr.local
error 20 at 0 depth lookup:unable to get local issuer certificate
error in verify
OpenSSL>

Answer

jww picture jww · Apr 21, 2014

OpenSSL> verify -CAfile C:\mycert.pem C:\mycert.pem

Close. You need to add the CA's root certificate with -CAfile; and not your end entity certificate. Something like:

openssl verify -CAfile C:\ca-cert.pem C:\mycert.pem

Also, if there is an intermediate certificate, then it needs to be added to mycert.pem. So mycert.pem will actually have two (or more) certificates (rather than one).

Adding all required certificates to mycert.pem in an effort to build a valid chain solves the "which directory" problem. Its a well known problem in PKI. Essentially, a client (like me) does not know where to go to get missing intermediate certificates.