On 08.01.2014 15:32, Yvonne Wambui wrote: > i get this error when verifing a non-self signed certificate. how do i make > it not point to the rootCA > It makes no sense to verify a non-self signed certificate without the rootCA certificate. To verify such a certificate you have to provide the certificate chain (which might be just one issuing CA, but often also some intermediate sub-CAs). A set of trusted CA certificates is provided by the distributions (most browsers bring their own collection of CA certificates). If the CA which has issued the certificate you are trying to verify is not included there, you can provide it on the command line for the openssl command or manually copy it into the folder your distribution is using, or you collect all your private trusted certificates in a folder which you manage. Depending which option you choose, you can specify the details when calling openssl verify by the parameters -CAfile or -CApath. You don't have to trust the intermediate CA's explicitly, but you have to provide the certificates if there are some (that's the -untrusted parameter). For details see the man page of the verify utility.
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
