All of the CA certificates in the chain of trust need to be included in the CA file passed to the "-CAfile" option. To do this, simply concatenate all of the PEM-encoded CA certificates into one file (e.g. 'cat <PEM-encoded root CA cert> <PEM-encoded intermediate CA cert> > cafile.pem' -- could be 'cat ../root/ca-cert.crt ../int/ca-cert.crt > cafile.pem'). Then use the following command 'openssl verify -CAfile cafile user.crt'.
Hope this helps. -Ryan Smith From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Hugo Garza Sent: Thursday, July 15, 2010 12:27 PM To: openssl-users@openssl.org Subject: Help creating certificate chain Hello All, I'm trying to get a basic root CA setup with an intermediate CA to handle all the end user certificate signing. So far I've created a Root CA I created an intermediate CA and signed it's certificate with the Root CA I created an end user certificate and signed it with the intermediate CA. Now I want to be able to just import the Root CA and have all end user certificates be verified. I tried running: openssl verify -CAfile ../root/ca-cert.crt user.crt and it returns with error 20 at 0 depth lookup:unable to get local issuer certificate Thanks for any help.
