[[EMAIL PROTECTED] - Sun Oct 6 21:38:18 2002]:
> Richard Levitte via RT wrote: > > OK, I just haven't seen further communication on this, so I've no > > idea what conclusoins you came to. It's very possible that the CA > > certificate didn't match the issuer of the certificate you wanted to > > verify. Do you have the possibility to send me the certificates you > > were using in your test? > > here are the 'openssl x509' dumps, I hope that helps. Yup. So lt me see if I got this right, you're trying to verify mail.zaplinski.de.pem using ca.pem, right? And both of those files only contain one certificate, right (openssl x509 will only dump the first certificate found in a .pem file, IIRC)? In that case, the certificate in ca.pem is insufficient for verification, because it in turn depends on another CA certificate. Observe the subject and the issuer that you show us: > ---- ca.pem ---- [...] > Issuer: C=DE, ST=Hamburg, L=Hamburg, O=zaplinski.de, > CN=zaplinski.de root [EMAIL PROTECTED] > Subject: C=DE, ST=Hamburg, O=zaplinski.de, CN=zaplinski.de > root > [EMAIL PROTECTED] The issuer has the RDN L=Hamburg, the subject doesn't. The issuer therefore must have another certificate. So, the chain that can be built is mail.zaplinski.de.pem -> ca.pem -> ???, where '???' is an unknown, and as far as I understand, unavailable certificate. Therefore, 'openssl verify' is absolutely correct in saying 'unable to get local issuer certificate'. Unless you have other facts contradicting my guesses, I'm going to consider this case closed and the ticket resolved. -- Richard Levitte ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]