Moved to openssl-users... Tanya Karpina wrote: > > I have the same problem verifying the server certificate. I tried to > run s_server and s_client tests so everything work fine a part from > certificate verification. I get an > > verify error: num=20:unable to get local issuer certificate > verify return: 1 > > Then I decided to run verify test with the same parameters. > > I have done cert req for server and sent it to THAWTE. Then I got > certificate signed by THAWTE (myCert.pem). I addition I have the > THAWTE root cert (CA cert below) thawte.pem > > I do > > openssl verify -CAfile E:\openssl\certs\thawte.pem -purpose sslserver > E:\openssl\files\myCert.pem > > and got the same error. > > I also tried to use -CApath that points to dir where all trusted certs > are located. (BTW what does it mean "The certificates should have > names of the form: hash.0" how to convert *.pem to ...?) > openssl verify -CApath E:\openssl\certs\ -purpose sslserver > E:\openssl\files\myCert.pem > I'm tired to search for solution. I took a look at many mailing lists > but still can't solve the problem >
-CApath doesn't work automatically under Windows because it currently uses symbolic links. If its giving that error then it can't find either the root or an intermediate CA. It isn't apparent which because you haven't included the error from the verify command which would include a "depth" parameter. OpenSSL includes two Thawte root CAs in its standard distribution: try the one called thawteCp.pem Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
