Thanks Jakob, I just tried what you said by concatinating the Root and Intermediate certificates to the user.crt file and tried running
openssl verify -CAfile ../root/ca-cert.crt user.crt But it still fails with, error 20 at 0 depth lookup:unable to get local issuer certificate. I would prefer this method and just having everyone install the root CA certificate into their trust store rather than having to install every combination of Root and Intermediate CA's that are created in the future. On Fri, Jul 16, 2010 at 12:19 PM, Jakob Bohm <jb-open...@wisemo.com> wrote: > On 15-07-2010 21:26, Hugo Garza wrote: > >> Hello All, I'm trying to get a basic root CA setup with an intermediate CA >> to handle all the end user certificate signing. >> >> So far I've created a Root CA >> I created an intermediate CA and signed it's certificate with the Root CA >> I created an end user certificate and signed it with the intermediate CA. >> >> Now I want to be able to just import the Root CA and have all end user >> certificates be verified. >> >> I tried running: >> openssl verify -CAfile ../root/ca-cert.crt user.crt >> >> and it returns with >> error 20 at 0 depth lookup:unable to get local issuer certificate >> >> Thanks for any help. >> >> All of the certificates in the chain from user.crt to ca-cert.crt > (inclusive) need to be provided as input. It is your choice if > the intermediary cert is included in ca-cert.crt or in user.crt. > > In a real application/protocol (such as SSL), the intermediary cert > would typically be included in the appropriate protocol or message > field. SSL/TLS puts the list of certificates in the "Certificate" > handshake message, S/MIME (CMS/PKCS#7) puts the list of certificates > in the "certificates" member of the SignedData ASN.1 structure. > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >
