Maybe that's a bug in OpenSSL 0.9.8o? The docs for verify say "It is an error if the whole chain cannot be built up."
.................................... Erik Tkal Juniper OAC/UAC/Pulse Development -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Bruce Stephens Sent: Wednesday, November 03, 2010 12:59 PM To: openssl-users@openssl.org Subject: Re: openssl verify fails Erik Tkal <et...@juniper.net> writes: > Hi Michael, > > Your "rootcacert" is not a root cert, as it was issued by "C=US, > ST=UT, L=Salt Lake City, O=The USERTRUST Network, > OU=http://www.usertrust.com, CN=UTN-USERFirst-Client Authentication > and Email". You need to append that cert as well to your CAfile. That seems to be a change in behaviour. 0.9.8o is happy: brs% openssl version OpenSSL 0.9.8o 01 Jun 2010 brs% openssl verify -verbose -CAfile rootcacert.pem subcacert.pem subcacert.pem: OK brs% openssl verify -issuer_checks -CAfile rootcacert.pem subcacert.pem subcacert.pem: /C=DE/O=SCA Deutsche Post Com GmbH/CN=Signtrust CERT Class 3 CA 3:PN error 29 at 0 depth lookup:subject issuer mismatch /C=DE/O=SCA Deutsche Post Com GmbH/CN=Signtrust CERT Class 3 CA 3:PN error 29 at 0 depth lookup:subject issuer mismatch /C=DE/O=SCA Deutsche Post Com GmbH/CN=Signtrust CERT Class 3 CA 3:PN error 29 at 0 depth lookup:subject issuer mismatch /C=DE/O=SCA Deutsche Post Com GmbH/CN=Signtrust CERT Root CA 1:PN error 29 at 0 depth lookup:subject issuer mismatch OK [...] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org