i created a PEM certificate from a PFX certificate and wanted đồ sộ verify it. However i ran into this issue, try đồ sộ find some answers, but i didnt and therefore i dont know how đồ sộ fix it. could you please advice? thank you very much.

C:\OpenSSL-Win32\bin>set OPENSSL_CONF=C:\OpenSSL-Win32\bin\openssl.cfg

C:\OpenSSL-Win32\bin>openssl
OpenSSL> verify C:\mycert.pem
C:\mycert.pem: C = CZ, ST = Sprava zakladnich registru, L = "Obec=Praha,Ulice=Na Vapence,PSC=13000", O = 72054506, OU = 4333, công nhân = tstcawilly.szr.local
error 20 at 0 depth lookup:unable to get local issuer certificate
error in verify
OpenSSL>
OpenSSL> verify -CAfile C:\mycert.pem C:\mycert.pem
C:\mycert.pem: C = CZ, ST = Sprava zakladnich registru, L = "Obec=Praha,Ulice=Na Vapence,PSC=13000", O = 72054506, OU = 4333, công nhân = tstcawilly.szr.local
error 20 at 0 depth lookup:unable to get local issuer certificate
error in verify
OpenSSL>

jww

102k100 gold badges437 silver badges936 bronze badges

asked Apr 26, 2013 at 11:38

1

OpenSSL> verify -CAfile C:\mycert.pem C:\mycert.pem

Close. You need đồ sộ add the CA's root certificate with -CAfile; and not your kết thúc entity certificate. Something like:

openssl verify -CAfile C:\ca-cert.pem C:\mycert.pem

Also, if there is an intermediate certificate, then it needs đồ sộ be added đồ sộ mycert.pem. So mycert.pem will actually have two (or more) certificates (rather than vãn one).

Adding all required certificates đồ sộ mycert.pem in an effort đồ sộ build a valid chain solves the "which directory" problem. Its a well known problem in PKI. Essentially, a client (like me) does not know where đồ sộ go đồ sộ get missing intermediate certificates.

answered Apr 21, năm trước at 4:26

4

Another case is pathlen can only be phối when CA:TRUE in basicConstraints.

Example:

basicConstraints=CA:TRUE,pathlen:10 # Okay
basicConstraints=CA:FALSE,pathlen:10 # Invalid!

answered May 26, 2020 at 13:50

2

I also had problems using the openssl verify command properly. So I also got the error: "error 20 at 0 depth lookup:unable to get local issuer certificate"

Here is a short explanation how đồ sộ use the openssl verify command correctly if you have a certificate chain with multiple intermediate certificates (more than vãn 2 certificates).

Lets imagine we have following certificate chain: my_root_ca.crt > my_intermediate_ca1.crt > my_intermediate_ca2.crt > leaf_cert.crt

openssl verify -CAfile my_root_ca.crt -untrusted all_my_intermediate_ca.crt leaf_cert.crt

my_root_ca.crt: This is the root certificate (self-signed)

all_my_intermediate_ca.crt: This tệp tin must include both intermediate certificates (my_intermediate_ca1.crt và my_intermediate_ca2.crt)

leaf_cert.crt: This is the actual certificate that gets verified.

So this would also work if you have more than vãn two intermediate certificates. But you must include them all in one tệp tin.

answered Sep 9, 2021 at 10:08

I discovered two potential issues you might face.

Potential issue 1. The intermediate certificates might give you an issue.

When verifying our new QSeal certificate (in PEM format) against multiple intermediate certificates, I used option -untrusted for each intermediate certificate. Here follows an example on MacOS / Linux.

openssl verify -verbose -CAfile ./quovadis_root_ca1g3.pem -untrusted ./quovadis_quovadisenterprisetrustca1g3.pem -untrusted ./quovadis_quovadiseuissuingcertificationauthorityg4.pem ./qseal_new.crt

Output is now

./qseal_new.crt: OK

Potential issue 2. I get keeping this issue when using LibreSSL, even when fixing the intermediate certificate issue. Switching đồ sộ OpenSSL solved it. I am aware that you use Windows, but others might encounter this issue when using an OpenSSL alternative.

answered Sep 9, 2021 at 10:33

I solved this by creating a .pem with Private Key,Server Crt, and then the Intermediate certificates and running openssl verify on the pem tệp tin đồ sộ get an OK response.