> On Jan 9, 2018, at 5:55 PM, Norm Green <[email protected]> wrote:
>
> Same result. The only way it seems to work is if the leaf cert appears at the
> end of the file.
You're badly mistaken. *ONLY* the first certificate in the file is verified.
When you put the leaf cert at the end, you're *ONLY* verifying the top-most
issuer CA certificate.
The correct way to verify a chain is to put the root CA in a CAfile,
intermediate CAs in an "untrusted" chain file, and the leaf cert all
by itself in a separate file. As explained upstream. If that's not
working, then perhaps your chain is actually incomplete or otherwise
does not satisfy all the requirements.
--
Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
