On Tue, May 27, 2014 at 03:44:46PM +0200, Sven Reissmann wrote:
> But, should't it also be possible to only verify the trust chain up to
> the subCA (i.e., if I fully trust this CA)? I would have expected that
> this will verify sucessfully:
OpenSSL versions prior to 1.0.2 require that all trusted certificates
be self-signed. In 1.0.2 it is possible to use X509_verify_cert()
with a trust anchor that is not self-signed, but I don't recall
whether this is possible through the CLI.
> openssl verify -CAfile subCA.pem subCA2.pem
>
> Instead, I'm getting "error 2 at 1 depth lookup:unable to get issuer
> certificate"
>
> What do I miss?
The chain construction code in X509_verify_cert() is currently limited
to self-signed trust anchors.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
