This was to be expected, we don’t supply anything to validate the certificate chain so it fails. Let’s start by using the base command to validate a certificate: $ openssl verify cert.pem cert.pem: C = Countrycode, ST = State, O = Organization, CN = error 20 at 0 depth lookup:unable to get local issuer certificate Root CA certificate file, intermediate CA certificate and server certificate file
The past example was on a Root CA certificate and a server certificate, if you still see error 20 at 0 depth lookup:unable to get local issuer certificate or the issuer and subject don’t add up, you probably need to include an intermediate certificate. Issuer should match subject in a correct chain Now verify the certificate chain by using the Root CA certificate file while validating the server certificate file by passing the CAfile parameter: $ openssl verify -CAfile ca.pem cert.pem cert.pem: OK Retrieve the subject of the Root CA certificate file using this command: $ openssl x509 -noout -subject -in ca.pem subject= /CN=the name of the CA
OPENSSL INSPECT CERTIFICATE HOW TO
Scroll down to see how to deal with intermediate certificates. Note: If it is not showing the expected issuer, it might be issued by an intermediate CA. This should match the issuer on the server certificate file. Now that we know the issuer, we can check if the Root CA certificate file we have is the correct one by retrieving the subject of the Root CA certificate file. If you want to know what CA issued this certificate ( issuer), you can use the following command: $ openssl x509 -in cert.pem -noout -issuer issuer= /CN=the name of the CA
The Root CA certificate is unknown and the chain cannot be validated. Run the following command: $ openssl verify cert.pem cert.pem: C = Country, ST = State, O = Organization, CN = FQDN error 20 at 0 depth lookup:unable to get local issuer certificateĪs you can see, the chain cannot be verified. Root CA certificate file and server certificate file (no intermediates) Validate certificate chain when using your own Certificate Authority
OPENSSL INSPECT CERTIFICATE VERIFICATION
If you try to connect to the same URL using command line tools, it will fail: $ openssl s_client -connect :443 -servername Verify return code: 21 (unable to verify the first certificate) $ curl -v curl: (60) server certificate verification failed. For example, go to and see how the browser will show it as valid.
This means that even an incomplete chain will show as valid in the browser. Problem using this approach is that browsers tend to complete the chain if it’s not sent from the server using their embedded certificate store (or from the operating system).
Usually certificates are tested using a browser, visiting the URL by going to and see if it shows as green (or if it’s not showing Not Secure in the latest version of Google Chrome). One of the problems encountered is that the chain sent from the application is incomplete, this usually leads to errors like x509: certificate signed by unknown authority or server certificate verification failed. The CA certificate is supposed to be known by the receiving end (either manually imported because it is self signed or built in because it’s from a recognized Certificate Authority) The application serving the certificate has to send the complete chain, this means the server certificate itself and all the intermediates. It gets more troublesome when there are one or more intermediate certificates are in the chain. If you have a self created Certificate Authority and a certificate (self signed), there is not that much that can go wrong. As many know, certificates are not always easy.
0 kommentar(er)
