i created a PEM certificate from a PFX certificate and wanted to verify it. However i ran into this issue, try to find some answers, but i didnt and therefore i dont know how to fix it. could you please advice? thank you very much.
C:\OpenSSL-Win32\bin>set OPENSSL_CONF=C:\OpenSSL-Win32\bin\openssl.cfg
C:\OpenSSL-Win32\bin>openssl
OpenSSL> verify C:\mycert.pem
C:\mycert.pem: C = CZ, ST = Sprava zakladnich registru, L = "Obec=Praha,Ulice=Na Vapence,PSC=13000", O = 72054506, OU = 4333, CN = tstcawilly.szr.local
error 20 at 0 depth lookup:unable to get local issuer certificate
error in verify
OpenSSL>
OpenSSL> verify -CAfile C:\mycert.pem C:\mycert.pem
C:\mycert.pem: C = CZ, ST = Sprava zakladnich registru, L = "Obec=Praha,Ulice=Na Vapence,PSC=13000", O = 72054506, OU = 4333, CN = tstcawilly.szr.local
error 20 at 0 depth lookup:unable to get local issuer certificate
error in verify
OpenSSL>
OpenSSL> verify -CAfile C:\mycert.pem C:\mycert.pem
Close. You need to add the CA's root certificate with -CAfile
; and not your end entity certificate. Something like:
openssl verify -CAfile C:\ca-cert.pem C:\mycert.pem
Also, if there is an intermediate certificate, then it needs to be added to mycert.pem
. So mycert.pem
will actually have two (or more) certificates (rather than one).
Adding all required certificates to mycert.pem
in an effort to build a valid chain solves the "which directory" problem. Its a well known problem in PKI. Essentially, a client (like me) does not know where to go to get missing intermediate certificates.