1

I have a leaf cert, intermediate cert, and a root cert.

client.crt contains all three, by way of cat leaf.crt intermediate.crt root.crt > client.crt

$ # Fails
$ openssl.exe verify client.crt
C = US, ...
error 20 at 0 depth lookup: unable to get local issuer certificate
error client.crt: verification failed

$ # Passes, as expected, since it has the whole chain
$ openssl.exe verify -CAfile client.crt client.crt
client.crt: OK

$ # Add intermediate and root to stores
$ certutil.exe -addstore -f "ROOT" .\root.crt
CertUtil: -addstore command completed successfully.
$ certutil.exe -addstore -f "CA" .\intermediate.crt
CertUtil: -addstore command completed successfully.

$ # Both client.crt and leaf.crt fail to verify
$ openssl.exe verify client.crt
C = US, ...
error 20 at 0 depth lookup: unable to get local issuer certificate
error client.crt: verification failed
$ openssl.exe verify leaf.crt
C = US, ...
error 20 at 0 depth lookup: unable to get local issuer certificate
error leaf.crt: verification failed

It appears as if openssl.exe is not picking up the certs I install. I've also gone through and installed these through the Windows certificate manager to no avail.

How do I get openssl to pick up this CA chain?

Chris
  • 387
  • 5
  • 16
  • (0) this is not programming or development and is (now) out of scope (1) OpenSSL never uses the Windows store (2) 'verify' on a chain file is a common error, see multiple links at https://stackoverflow.com/questions/65204616/why-does-openssl-verify-fail-with-a-certificate-chain-file – dave_thompson_085 Aug 31 '22 at 03:32

0 Answers0