At 02:32 PM 10/4/2006, Marek Marcola wrote:
Hello,
> I've generated a server cert from a CA on a MS system. The cert is in
> PKCS12 format, and I converted it to PEM using:
>
> openssl pkcs12 -in mypackage.pfx -out foo.pem
>
> then I tried to verify it using:
>
> openssl verify foo.pem
> foo.pem: /C=US/ST=CO/L=Colorado Springs/O=Process
> Software/OU=Engineering/CN=rap
> tor.psccos.com
> error 20 at 0 depth lookup:unable to get local issuer certificate
>
> What am I missing here?
To verify one certificate you need to have CA certificate.
File with CA certificate(s) are specified with -CAfile
option.
I do the following steps. certnew.p7b is a pkcs7 file containing the
certification path.
openssl verify -verbose "-CAfile" certnew.p7b foo.pem
Error loading file certnew.p7b
usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose]
[-crl_
check] [-engine e] cert1 cert2 ...
recognized usages:
sslclient SSL client
sslserver SSL server
nssslserver Netscape SSL server
smimesign S/MIME signing
smimeencrypt S/MIME encryption
crlsign CRL signing
any Any Purpose
ocsphelper OCSP helper
openssl pkcs7 -inform der -outform pem -in certnew.p7b -out certnew.pem
openssl verify -verbose "-CAfile" certnew.pem foo.pem
Error loading file certnew.pem
usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose]
[-crl_
check] [-engine e] cert1 cert2 ...
recognized usages:
sslclient SSL client
sslserver SSL server
nssslserver Netscape SSL server
smimesign S/MIME signing
smimeencrypt S/MIME encryption
crlsign CRL signing
any Any Purpose
ocsphelper OCSP helper
openssl pkcs7 -inform der -in certnew.p7b -print_certs
subject=/C=US/ST=CO/L=Colorado Springs/O=Process Software/CN=homeca
issuer=/C=US/ST=CO/L=Colorado Springs/O=Process Software/CN=homeca
-----BEGIN CERTIFICATE-----
MIIDSTCCAvOgAwIBAgIQUTKvhkwHTIND7ap83hxlBzANBgkqhkiG9w0BAQUFADBh
MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ08xGTAXBgNVBAcTEENvbG9yYWRvIFNw
cmluZ3MxGTAXBgNVBAoTEFByb2Nlc3MgU29mdHdhcmUxDzANBgNVBAMTBmhvbWVj
YTAeFw0wNjA5MTQxNjQ5MjBaFw0xMTA5MTQxNjU4MjBaMGExCzAJBgNVBAYTAlVT
MQswCQYDVQQIEwJDTzEZMBcGA1UEBxMQQ29sb3JhZG8gU3ByaW5nczEZMBcGA1UE
ChMQUHJvY2VzcyBTb2Z0d2FyZTEPMA0GA1UEAxMGaG9tZWNhMFwwDQYJKoZIhvcN
AQEBBQADSwAwSAJBAMxqVr4v0EC/eFR76x48pn332cdJ7e20yvL5xXFL61GnTq3e
CGmUbB7WFZHqvL5GvHIcEpVpeCiE7X6uynF4emsCAwEAAaOCAYUwggGBMBMGCSsG
AQQBgjcUAgQGHgQAQwBBMAsGA1UdDwQEAwIBRjAPBgNVHRMBAf8EBTADAQH/MB0G
A1UdDgQWBBSi9nJ2NyGv2bLApTD0S+RpK8GgOzCCARkGA1UdHwSCARAwggEMMIHF
oIHCoIG/hoG8bGRhcDovLy9DTj1ob21lY2EsQ049YWR0ZXN0LENOPUNEUCxDTj1Q
dWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0
aW9uLERDPWFsdGRvbWFpbjIwMDAsREM9cHNjY29zLERDPWNvbT9jZXJ0aWZpY2F0
ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Y2xhc3M9Y1JMRGlzdHJpYnV0aW9u
UG9pbnQwQqBAoD6GPGh0dHA6Ly9hZHRlc3QuYWx0ZG9tYWluMjAwMC5wc2Njb3Mu
Y29tL0NlcnRFbnJvbGwvaG9tZWNhLmNybDAQBgkrBgEEAYI3FQEEAwIBADANBgkq
hkiG9w0BAQUFAANBAKOdMC9D1nQv9eXXXSl2y/PseY0JgzI/cLcphgYklk6kt/Oh
2i+RfD0Yh0/0foSuJ2nYCpMOdCT3oaPjSCKX2kw=
-----END CERTIFICATE-----
------
+-------------------------------+----------------------------------------+
| Dan O'Reilly | "There are 10 types of people in this |
| Principal Engineer | world: those who understand binary |
| Process Software | and those who don't." |
| http://www.process.com | |
+-------------------------------+----------------------------------------+
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
