On Tue, Dec 15, 2015 at 10:56:59PM +0000, Blumenthal, Uri - 0553 - MITLL wrote:
> $ openssl verify -verbose -CAfile ~/Certs/RabbitMQ_CA.pem -partial_chain
> -purpose sslclient RabbitMQ_Dev.pem
> RabbitMQ_Dev.pem: OK
Well if that CAfile yields a path to a root CA, the "-partial_chain"
option makes no difference.
> $ openssl verify -verbose -CAfile ~/Certs/RabbitMQ_CA.pem -purpose
> sslclient RabbitMQ_Dev.pem
> RabbitMQ_Dev.pem: OK
If it is OK without "-partial_chain", then your root CA is in there.
$ OpenSSL_1_0_2/bin/openssl verify -CAfile issuer.pem leaf.pem
leaf.pem: O = example.com, CN = clica Signing Cert
error 2 at 1 depth lookup:unable to get issuer certificate
$ OpenSSL_1_0_2/bin/openssl verify -partial_chain -CAfile issuer.pem
leaf.pem
leaf.pem: OK
$ OpenSSL_1_0_2/bin/openssl verify -CAfile root.pem -untrusted chain.pem
leaf.pem
leaf.pem: OK
The entire chain: leaf, issuer, root is in chain.pem.
Just the root CA: is in root.pem
Just the issuer CA: is in issuer.pem
The leaf CA: is the first certificate in leaf.pem (this can just be chain.pem)
--
Viktor.
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
