Hi Vladimir, Use the actual root CA instead (i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority) and you'll see it works. You can save it with a web browser, the -showcerts options, or it is also be bundled as a root cert in all modern OSes. The others aren't the root cert so they don't work.
Joshua Bowman On 6/4/2012 9:07 PM, Vladimir Belov wrote: > Hi, > > I have a httpS-client and try to load www.verisign.com. I get the error > during certificate > verification: “20 (unable to get local issuer certificate)” > > The same error code was when I used s_client: > OpenSSL> s_client -host www.verisign.com -port 443 -CAfile > trusted_root_certs_of_CAs.pem > > Verify return code: 20 (unable to get local issuer certificate) > > > Web-site www.verisign.com have 3 certificates in the chain: > VeriSign Class 3 Public Primary Certification Authority – G5 > VeriSign Class 3 Extended Validation SSL SGC CA > www.verisign.com > > > In my test file with trusted root certificates of CAs there are two > certificates: > VeriSign Class 3 Public Primary Certification Authority – G5 > VeriSign Class 3 Extended Validation SSL SGC CA > > > I attached with email: trusted_root_certs_of_CAs.pem and s_client.log > > > --- > Regards, > > Vladimir. > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
