Tim Traver wrote: > openssl verify -purpose sslserver cert.crt > > where cert.crt is the cert and its CAcert and the root cert in pem > format...this is done on the command line, and it always gives me this > error : > > error 20 at 0 depth lookup:unable to get local issuer certificate > > and I'm not sure what that really means...do I need to specify valid > root certs? am I calling this wrong???
OpenSSL starts with the server certificate and tries to validate up to the root certificate. So it has to get the issuer certificate of the server certificate to be able to check the signature. This validation process goes up to the (self-signed) root certificate. It seems that OpenSSL does not look for the issuer certificates in "server.crt", but in the file specified with "-CAfile". So to check a certificate in file "server.crt", put the CA certificates up to the root in "cafile.pem" and call openssl verify -purpose sslserver -CAfile cafile.pem server.crt Regards, Olaf -- Dipl.Inform. Olaf Gellert INTRUSION-LAB.NET Senior Researcher, www.intrusion-lab.net PKI - and IDS - Services [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]