On Mon, Apr 11, 2011 at 05:53:45PM -0400, Dave Thompson wrote: > Is /etc/pki/tls/cert.pem a file or a directory? > -CApath and -CAfile are different. Use the right one.
That was a typo on my end; I've been messing with both a concatenated set of PEM certificates, and a directory. Once the typo is corrected, I get the same symptom. :) > Also note that the output from -issuer_checks is very likely > to be misleading, so generally it's better not to use it. Noted; thanks. > But your likely problem is this cert uses an intermediate cert > /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA . > If that intermediate cert is not in your (packaged) truststore, > s_client can verify because google sent it, but verify can't > because verify gets only the entity cert you give it > unless you also specify -untrusted. I have to admit; I completely failed to understand the role of 'untrusted' certificates in this context. I think I still want a high-level treatment of how 'openssl verify' is different than the verification that 'openssl s_client' undergoes. Is there some write-up of that on-line anywhere? > Do s_client with -showcerts and you'll see you get both > the entity cert for google and this intermediate cert. > Either: put the intermediate cert in a file and give it > to -untrusted; or put it in the truststore you use. How is 'the truststore I use' different than the /etc/pki/tls/cert.pem file dropped in by RedHat/CentOS? > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org -- Brian Reichert <reich...@numachi.com> BSD admin/developer at large ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
