I'm trying to get to grips with verifying chains. I can create some keys: openssl genrsa -out key/1 512 openssl genrsa -out key/2 512 openssl genrsa -out key/3 512
I create a self-signed certificate for the first key: openssl req -new -x509 -nodes -sha1 -key key/1 -out 1 (with an OU of 1) And certificate requests for the other two: openssl req -new -key key/2 -out req/2 openssl req -new -key key/3 -out req/3 (OUs of 2 and 3 respectively). These requests are then signed to create a chain: openssl x509 -req -in req/2 -CA 1 -CAkey key/1 -set_serial 01 -out 2 openssl x509 -req -in req/3 -CA 2 -CAkey key/2 -set_serial 01 -out 3 So what I have is certificate 1 that is self-signed, 2 signed by 1 and 3 signed by 2. I can verify 2 with 1: openssl verify -CAfile 1 2 What I don't seem to be able to do is verify 3 with 2: openssl verify -CAfile 2 3 I get: 3: /C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd/OU=2 error 2 at 1 depth lookup:unable to get issuer certificate What am I doing wrong? Should I be able to verify a chain of certificates one at a time (i.e.verify 2 against 1 then later 3 against 2)? Cheers -- Sven
