i created a PEM certificate from a PFX certificate and wanted to tướng verify it. However i ran into this issue, try to tướng find some answers, but i didnt and therefore i dont know how to tướng fix it. could you please advice? thank you very much.

C:\OpenSSL-Win32\bin>set OPENSSL_CONF=C:\OpenSSL-Win32\bin\openssl.cfg

C:\OpenSSL-Win32\bin>openssl
OpenSSL> verify C:\mycert.pem
C:\mycert.pem: C = CZ, ST = Sprava zakladnich registru, L = "Obec=Praha,Ulice=Na Vapence,PSC=13000", O = 72054506, OU = 4333, công nhân = tstcawilly.szr.local
error trăng tròn at 0 depth lookup:unable to tướng get local issuer certificate
error in verify
OpenSSL>
OpenSSL> verify -CAfile C:\mycert.pem C:\mycert.pem
C:\mycert.pem: C = CZ, ST = Sprava zakladnich registru, L = "Obec=Praha,Ulice=Na Vapence,PSC=13000", O = 72054506, OU = 4333, công nhân = tstcawilly.szr.local
error trăng tròn at 0 depth lookup:unable to tướng get local issuer certificate
error in verify
OpenSSL>

jww

102k100 gold badges437 silver badges936 bronze badges

asked Apr 26, 2013 at 11:38

1

OpenSSL> verify -CAfile C:\mycert.pem C:\mycert.pem

Close. You need to tướng add the CA's root certificate with -CAfile; and not your kết thúc entity certificate. Something like:

openssl verify -CAfile C:\ca-cert.pem C:\mycert.pem

Also, if there is an intermediate certificate, then it needs to tướng be added to tướng mycert.pem. So mycert.pem will actually have two (or more) certificates (rather than thở one).

Adding all required certificates to tướng mycert.pem in an effort to tướng build a valid chain solves the "which directory" problem. Its a well known problem in PKI. Essentially, a client (like me) does not know where to tướng go to tướng get missing intermediate certificates.

answered Apr 21, năm trước at 4:26

4

Another case is pathlen can only be mix when CA:TRUE in basicConstraints.

Example:

basicConstraints=CA:TRUE,pathlen:10 # Okay
basicConstraints=CA:FALSE,pathlen:10 # Invalid!

answered May 26, 2020 at 13:50

2

I also had problems using the openssl verify command properly. So I also got the error: "error trăng tròn at 0 depth lookup:unable to tướng get local issuer certificate"

Here is a short explanation how to tướng use the openssl verify command correctly if you have a certificate chain with multiple intermediate certificates (more than thở 2 certificates).

Lets imagine we have following certificate chain: my_root_ca.crt > my_intermediate_ca1.crt > my_intermediate_ca2.crt > leaf_cert.crt

openssl verify -CAfile my_root_ca.crt -untrusted all_my_intermediate_ca.crt leaf_cert.crt

my_root_ca.crt: This is the root certificate (self-signed)

all_my_intermediate_ca.crt: This tệp tin must include both intermediate certificates (my_intermediate_ca1.crt và my_intermediate_ca2.crt)

leaf_cert.crt: This is the actual certificate that gets verified.

So this would also work if you have more than thở two intermediate certificates. But you must include them all in one tệp tin.

answered Sep 9, 2021 at 10:08

I discovered two potential issues you might face.

Potential issue 1. The intermediate certificates might give you an issue.

When verifying our new QSeal certificate (in PEM format) against multiple intermediate certificates, I used option -untrusted for each intermediate certificate. Here follows an example on MacOS / Linux.

openssl verify -verbose -CAfile ./quovadis_root_ca1g3.pem -untrusted ./quovadis_quovadisenterprisetrustca1g3.pem -untrusted ./quovadis_quovadiseuissuingcertificationauthorityg4.pem ./qseal_new.crt

Output is now

./qseal_new.crt: OK

Potential issue 2. I get keeping this issue when using LibreSSL, even when fixing the intermediate certificate issue. Switching to tướng OpenSSL solved it. I am aware that you use Windows, but others might encounter this issue when using an OpenSSL alternative.

answered Sep 9, 2021 at 10:33

I solved this by creating a .pem with Private Key,Server Crt, and then the Intermediate certificates and running openssl verify on the pem tệp tin to tướng get an OK response.