Help on chain certification verify: unable to get local issuer certificate

ZhangHongdi Tue, 10 Aug 2010 14:04:21 -0700

Hi guys,

I know it is really a frequently asked question but after a long time attempt I 
still cannot solve it, so any suggestion will be appreciated


My Chain Structure is like this:  hongdiz-root-ca --> hongdiz-ca1 --> 
hongdiz-router-1 

Upon verifying cert, it always failed between hongdiz-ca1 and hongdiz-router-1

>From previous mail threads and document, OpenSSL will first use subject/issuer 
>name to match cert, then Subject Key 
ID/Authority Key ID. Seems they are matched in my cert chain. I enclosed all 
the certs in attachment.

1. Verify hongdiz-root-ca --> hongdiz-ca1 --> hongdiz-router-1  [Failed]
[r...@hongdiz-server-1 hongdiz-router-1]# openssl verify -CAfile 
../hongdiz-root-ca/hongdiz-root-ca_cert.pem -untrusted 
../hongdiz-ca1/hongdiz-ca1_cert.pem hongdiz-router-1_cert.pem
hongdiz-router-1_cert.pem: 
/C=CN/ST=Shanghai/O=Cisco/OU=IPCBU/CN=hongdiz-router-1.crdc.cisco.com
error 20 at 0 depth lookup:unable to get local issuer certificate

2. Verify hongdiz-root-ca --> hongdiz-ca1 [OK]
[r...@hongdiz-server-1 hongdiz-router-1]# openssl verify -CAfile 
../hongdiz-root-ca/hongdiz-root-ca_cert.pem ../hongdiz-ca1/hongdiz-ca1_cert.pem
../hongdiz-ca1/hongdiz-ca1_cert.pem: OK

3. Verify hongdiz-ca1 --> hongdiz-router-1 [Failed]
[r...@hongdiz-server-1 hongdiz-router-1]# openssl verify -CAfile 
../hongdiz-ca1/hongdiz-ca1_cert.pem 
../hongdiz-router-1/hongdiz-router-1_cert.pem
../hongdiz-router-1/hongdiz-router-1_cert.pem: 
/C=CN/ST=Shanghai/O=Cisco/OU=IPCBU/CN=hongdiz-router-1.crdc.cisco.com
error 20 at 0 depth lookup:unable to get local issuer certificate


4. OpenSSL Server/Client verify Failed (put hongdiz-root-ca cert and 
hongdiz-ca1 cert into ca-chain.pem)
[r...@hongdiz-server-1 hongdiz-router-1]# openssl s_server -cert 
hongdiz-router-1_cert.pem -key hongdiz-router-1_key.pem -CAfile ../ca-chain.pem
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MHUCAQECAgMBBAIAOQQgIKlqp1dJzX9YCO1IF8XOIrS7COcmwKcb7/AYeTP+1xgE
MO7GI9I3jTWuYTmcPrvBWuIaJWXMYyDDh68MQDXCetdAqDiOcOkRhbuZlKi7gbCG
CaEGAgRMYV4MogQCAgEspAYEBAEAAAA=
-----END SSL SESSION PARAMETERS-----
Shared 
ciphers:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:CAMELLIA256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:CAMELLIA128-SHA:RC4-SHA:RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5
CIPHER is DHE-RSA-AES256-SHA

[r...@hongdiz-server-1 OpenSSL]# openssl s_client -connect localhost:4433 
-CAfile ca-chain.pem
CONNECTED(00000003)
depth=0 /C=CN/ST=Shanghai/O=Cisco/OU=IPCBU/CN=hongdiz-router-1.crdc.cisco.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=CN/ST=Shanghai/O=Cisco/OU=IPCBU/CN=hongdiz-router-1.crdc.cisco.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=CN/ST=Shanghai/O=Cisco/OU=IPCBU/CN=hongdiz-router-1.crdc.cisco.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=CN/ST=Shanghai/O=Cisco/OU=IPCBU/CN=hongdiz-router-1.crdc.cisco.com
   i:/C=CN/ST=Shanghai/O=Cisco/OU=IPCBU/CN=hongdiz-ca1.crdc.cisco.com
 1 s:/C=CN/ST=Shanghai/O=Cisco/OU=IPCBU/CN=hongdiz-ca1.crdc.cisco.com
   i:/C=CN/ST=Shanghai/L=A12/O=Cisco/OU=IPCBU/CN=hongdiz-root-ca.crdc.cisco.com
 2 s:/C=CN/ST=Shanghai/L=A12/O=Cisco/OU=IPCBU/CN=hongdiz-root-ca.crdc.cisco.com
   i:/C=CN/ST=Shanghai/L=A12/O=Cisco/OU=IPCBU/CN=hongdiz-root-ca.crdc.cisco.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC0jCCAjugAwIBAgIBATANBgkqhkiG9w0BAQUFADBlMQswCQYDVQQGEwJDTjER
MA8GA1UECBMIU2hhbmdoYWkxDjAMBgNVBAoTBUNpc2NvMQ4wDAYDVQQLEwVJUENC
VTEjMCEGA1UEAxMaaG9uZ2Rpei1jYTEuY3JkYy5jaXNjby5jb20wHhcNMTAwODEw
MTQwMDQ3WhcNMjAwODA3MTQwMDQ3WjBqMQswCQYDVQQGEwJDTjERMA8GA1UECBMI
U2hhbmdoYWkxDjAMBgNVBAoTBUNpc2NvMQ4wDAYDVQQLEwVJUENCVTEoMCYGA1UE
AxMfaG9uZ2Rpei1yb3V0ZXItMS5jcmRjLmNpc2NvLmNvbTCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEAylT5XpGWrEhDWfUnVpL2PI6rVg8dCsLXBn8V1OQCyC//
bxhQZqROmLbh/STsger7G5PvX5kaM1XviAuoM6iJMpqx/xqE+atbndYBaMYtLQmF
wYj/GFOq+CBX970/pj6YqOhjgDEY1EDjj1dVYKn8oSAlkZtXUlXNAtQiiQBUsJEC
AwEAAaOBjDCBiTAMBgNVHRMEBTADAQH/MCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NM
IEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUJrg2qojNXvIL5wYCvijF
1YPoKfQwHwYDVR0jBBgwFoAU2DFYT7Juy0nk9rjbzniXGJJhMUswCwYDVR0PBAQD
AgXgMA0GCSqGSIb3DQEBBQUAA4GBADQWQ8qbuFDkobScXAESLz7FeNLQ3jYOQagx
l7aij6hVzJrFvub6/9Olg7DXZWjxPNIXnRKirBu1zYJwS+2lULWAfHAgVPhVmT+p
kEDofpUJ1T3/tq08w6+ZdNdaL2MoBuxE2GVb97Kz5oXjWjmbUI0cu9zXA5vvgK2G
WEg4q4Nd
-----END CERTIFICATE-----
subject=/C=CN/ST=Shanghai/O=Cisco/OU=IPCBU/CN=hongdiz-router-1.crdc.cisco.com
issuer=/C=CN/ST=Shanghai/O=Cisco/OU=IPCBU/CN=hongdiz-ca1.crdc.cisco.com
---
No client certificate CA names sent
---
SSL handshake has read 2752 bytes and written 279 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 20A96AA75749CD7F5808ED4817C5CE22B4BB08E726C0A71BEFF0187933FED718
    Session-ID-ctx:
    Master-Key: 
EEC623D2378D35AE61399C3EBBC15AE21A2565CC6320C387AF0C4035C27AD740A8388E70E91185BB9994A8BB81B08609
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1281449484
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---

CA1.pem
Description: Binary data

rootCA.pem
Description: Binary data

router-1.pem
Description: Binary data

Help on chain certification verify: unable to get local issuer certificate

Reply via email to