I have a signed personal certificate and a list of CAs that chain together. Towards the top of the chain, I run into problems because the CAs are cross-signed. The Issuer: field for "CA1" is "CA2", and the Issuer: field for "CA2" is "CA1".
When I run "openssl verify kdreyer.pem", OpenSSL is able to follow the sub-CAs up to the first of these cross-signed CAs, but it fails with "error 2 at 100 depth lookup:unable to get issuer certificate". I want it to go "back" down the chain to see the cross-signing. I have all of the hashes configured properly, but this cross-signing seems tricky. Eg. $ openssl x509 -noout -issuer_hash -in fc403046.0 b8db54bd $ openssl x509 -noout -issuer_hash -in b8db54bd.0 fc403046 "openssl verify" errors on b8db54bd.0 . For background, I'm trying to use the Federal Bridge Certificate Authorities, which are cross-signed in a sort of configuration that I'm unfamiliar with. http://www.idmanagement.gov/fpkima/content/PCA_DNs.cfm Can someone please help me understand how to successfully verify my personal certificate in this situation? ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
