Verify certificates using OpenSSL

Question

I created 2 intermediate certificates called cert1.crt and cert2.crt signed by a common cert0 root and i need to verify them using verify command.

I type:

verify -CAfile cert1.crt cert2.crt

What I get is:

error 20 at 0 depth lookup:unable to get local issuer certificate.

Same error appears when i replaced .crt files with the two .pem files i generated from the certificates. What am i doing wrong? i use OpenSSL toolkit my operating system is Windows 8.

Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Super User](http://superuser.com/) or [Unix & Linux Stack Exchange](http://unix.stackexchange.com/) would be a better place to ask. — jww, Apr 14 '15 at 20:43
There are literally hundreds of these questions on the Stack Exchange network. Why did you ask another [off-topic] one when the answer is readily available? ["openssl+verify"+"unable+to+get+local+issuer+certificate"](https://www.google.com/search?q="openssl+verify"+"unable+to+get+local+issuer+certificate"+site:stackoverflow.com) — jww, Apr 14 '15 at 20:47
obviously i searched the site before posting... most relevant answear is found in this one http://stackoverflow.com/questions/25482199/verify-a-certificate-chain-using-openssl-verify but still it couldnt help me solve my problem. — Mitsos Dim, Apr 14 '15 at 21:43

score 0 · Answer 1 · answered Apr 16 '15 at 09:01

I don't know how you create a common cert0 root.

You can do this by the following steps:

0) create CA private key and rootreq

$ openssl req -nodes -newkey rsa:1024 -sha1 -keyout rootkey.pem -out rootreq.pem

1) create CA self-signed cert

$ openssl x509 -req -in rootreq.pem -sha1 -signkey rootkey.pem -out rootcert.pem

2) create client private key and certreq

$ openssl req -nodes -newkey rsa:1024 -sha1 -keyout userkey.pem -out userreq.pem

3) create client cert with client certreq $ openssl x509 -req -in userreq.pem -sha1 -CA rootcert.pem -CAkey rootkey.pem -CAcreateserial -out usercert.pem

4) verify cert

$ openssl verify -CAfile rootcert.pem usercert.pem

You can repeat the step 2) and 3) with different output to create some client certs, and verify them at step 4).

Verify certificates using OpenSSL

1 Answers1