All geek questions in one place

Openssl cannot get local issuer certificate debian

I can not verify the certificate using openssl

openssl verify cert.pem

Gets something like this:

cert.pem: / C = PL / O = DATA
error 20 when searching by depth 0: it is impossible to obtain a certificate of a local issuer

The same certificate from the machine on Centos - verified correctly.

Debian: squeeze / sid

Is this a problem with CA ROOT? Refresh openssl tab?

+6
source share
3 answers

You need to specify a CA certificate in order to verify the issued certificate, since it is not explicitly included in the pem (although that would be possible):

 openssl verify -CAfile your_ca_cert_file cert.pem

If you don't get an error in centOS, then CA cert around and openssl can use it to successfully verify cert.pem

+6
source

Unlike browsers that trust almost everyone, OpenSSL trusts nothing by default.

It is up to you to decide what to trust. You will need to specify something when using OpenSSL. This can be a certificate or a list of trusted certificates.

The /etc/ssl/certs contains many certificates. Using such a directory should allow checking almost everything:

 openssl verify -CApath /etc/ssl/certs cert.pem

It is recommended that you reduce the number of trusted certificates to one, two, or the minimum possible.

+6
source

You need to make your CA trusted on the server. For example, if your certificate is on goadday, run the following commands.

 cd /tmp sudo wget -O gd_intermediate.crt https://certs.godaddy.com/repository/gd_intermediate.crt sudo cp /tmp/gd_intermediate.crt /usr/local/share/ca-certificates/gd_intermediate.crt sudo update-ca-certificates

After running these commands, your certificate should be verified.

 openssl verify cert.pem
0
source

Source: https://habr.com/ru/post/976439/

More articles:


All Articles