I’ve been using openssl verify to check some certificate chains: server -> ca -> roota server -> alt_ca-> rootb
Certificates ca and alt_ca have the same subject and public key and different issuers. openssl verify -trusted roota.pem -untrusted ca.pem server.pem openssl verify -trusted rootb.pem -untrusted alt_ca.pem server.pem Work fine, however if I include both the intermediate CAs then verify only succeeds when the correct untrusted CA is first in the list openssl verify -trusted roota.pem -untrusted ca.pem -untrusted alt_ca.pem server.pem (OK) openssl verify -trusted rootb.pem -untrusted ca.pem -untrusted alt_ca.pem server.pem (FAIL: error 20 at 1 depth lookup: unable to get local issuer certificate) Is there a mechanism to support both ca.pem and alt_ca.pem without knowing which root the client has? Many thanks James
