AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
![]() Openssl verify -CAfile int-crt.pem usr-crt.pem Openssl verify -CAfile ca-crt.pem usr-crt.pemĮcho "Verfying UserCert via IntermediateCA." Openssl x509 -req -days 360 -in usr-csr.pem -CA int-crt.pem -CAkey int-key.pem -CAcreateserial -out usr-crt.pem Openssl req -newkey rsa:2048 -nodes -keyout usr-key.pem -new -sha256 -out usr-csr.pem -subj /C=XX/ST=YY/O=LockCmpXchg8b Openssl x509 -req -days 360 -in int-csr.pem -CA ca-crt.pem -CAkey ca-key.pem -CAcreateserial -out int-crt.pem Openssl req -newkey rsa:3072 -nodes -keyout int-key.pem -new -sha384 -out int-csr.pem -subj /C=XX/ST=YY/O=IntermediateCA Openssl req -newkey rsa:4096 -nodes -keyout ca-key.pem -sha384 -x509 -days 365 -out ca-crt.pem -subj /C=XX/ST=YY/O=RootCA First, let's repro the OP's error cases: # (Forgive the hand-wave on trust attributes, that part of the code was difficult to read.) #OPENSSL UNABLE TO GET LOCAL ISSUER CERTIFICATE VERIFICATION#If the trusted certificate has the right "trust" attributes for the "purpose" of the verification operation (or has the anyExtendedKeyUsage attribute) the chain is trusted. OpenSSL then scans over each trusted certificate on the chain looking for SSLv3 extensions that specify the purpose of the trusted certificate. a self-signed certificate is encountered.Īt this point we have a chain that may end prematurely (if we failed to find an issuer, or if we exceeded the verify depth).an issuer is not found in the trusted store.Upon failing to find an untrusted issuer cert, OpenSSL switches to the trusted certificate store and continues building the chain. The OpenSSL verify application verifies a certificate in the following way: It builds the certificate chain starting with the target certificate, and tracing the issuer chain, searching any untrusted certificates supplied along with the target cert first. (This answer extracted from X509_verify_cert at crypto/x509/x509_vfy.c:204, in openssl-1.0.2m) ![]()
0 Comments
Read More
Leave a Reply. |