On Tue, May 27, 2014 at 03:44:46PM +0200, Sven Reissmann wrote: > But, should't it also be possible to only verify the trust chain up to > the subCA (i.e., if I fully trust this CA)? I would have expected that > this will verify sucessfully:
OpenSSL versions prior to 1.0.2 require that all trusted certificates be self-signed. In 1.0.2 it is possible to use X509_verify_cert() with a trust anchor that is not self-signed, but I don't recall whether this is possible through the CLI. > openssl verify -CAfile subCA.pem subCA2.pem > > Instead, I'm getting "error 2 at 1 depth lookup:unable to get issuer > certificate" > > What do I miss? The chain construction code in X509_verify_cert() is currently limited to self-signed trust anchors. -- Viktor. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org