Verify a certificate chain using openssl verify

openssl certificate

Indra · Aug 25, 2014 · Viewed 410.2k times · Source

I'm building a own certificate chain with following componenents:

Root Certificate - Intermediate Certificate - User Certificate

Root Cert is a self signed certificate, Intermediate Certificate is signed by Root and User by Intermediate.

Now I want to verify if a User Certificate has its anchor by Root Certificate.

With

openssl verify -verbose -CAfile RootCert.pem Intermediate.pem

the validation is ok. In the next step I validate the User Cert with

openssl verify -verbose -CAfile Intermediate.pem UserCert.pem

and the validation shows

error 20 at 0 depth lookup:unable to get local issuer certificate

What is wrong?

Answer

From verify documentation:

If a certificate is found which is its own issuer it is assumed to be the root CA.

In other words, root CA needs to self signed for verify to work. This is why your second command didn't work. Try this instead:

openssl verify -CAfile RootCert.pem -untrusted Intermediate.pem UserCert.pem

It will verify your entire chain in a single command.