On Wed, Aug 19, 2015 at 02:09:27AM -0700, Alice Wonder wrote:
> The documentation says
>
> ``This means that the Postfix server public-key certificate file must
> include the server certificate first, then the issuing CA(s) (bottom-up
> order).''
>
> Then it gives an example
>
> cat server_cert.pem intermediate_CA.pem > server.pem
>
> -=-
The documentation is correct.
> With my Comodo PositiveSSL there are two intermediary certs.
>
> So I try
>
> cat librelamp_com.crt \
> COMODORSADomainValidationSecureServerCA.crt \
> COMODORSAAddTrustCA.crt > test.cert
>
> But it doesn't verify
>
> openssl verify -purpose sslserver test.crt
> test.crt: OU = Domain Control Validated, OU = PositiveSSL, CN =
> librelamp.com
> error 20 at 0 depth lookup:unable to get local issuer certificate
That's because "openssl verify" verifies the single certificate in
a file, not a chain. To verify a chain file you need to use the
"-untrusted" option to augment the certificate with the rest of
the chain, and perhaps specify the location of the trusted root
CAfile:
$ openssl verify \
-untrusted chain.pem \
-purpose sslserver \
-CAfile root.pem \
chain.pem
> I tried switching the order, same issue.
>
> Finally I reversed the order -
>
> cat COMODORSAAddTrustCA.crt \
> COMODORSADomainValidationSecureServerCA.crt \
> librelamp_com.crt > test.crt
You verified the intermediate certificate, not too
interesting.
> Am I not understanding something or is the documentation off?
The former, particular how the "verify" command works.
--
Viktor.
