Hello, On Tue, May 27, 2014 15:44, Sven Reissmann wrote: > Hi, > > I'm having a comprehension question on certificate verification. > > Having a trustchain like this: > > rootCA -> subCA -> subCA2 > > I can verify the subCA2 certificate using the command: > > openssl verify -CAfile rootCA.pem -untrusted subCA.pem subCA2.pem > > But, should't it also be possible to only verify the trust chain up to > the subCA (i.e., if I fully trust this CA)? yes, then the rootCA is in your cert store, and OpenSSL must have access to this, implied by settings in openssl.cnf > I would have expected that > this will verify sucessfully: > > openssl verify -CAfile subCA.pem subCA2.pem
> Instead, I'm getting "error 2 at 1 depth lookup:unable to get issuer > certificate" > > What do I miss? settings in openssl.cnf Walter ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
