Ssl – How to verify signed certificate

ssl

I have two SSL certificates:

One for snipsalonsoftware.com which is currently in place and working properly.
One for app.snipsalonsoftware.com which has been purchased but not yet installed.

What I'm trying to do right now is simply verify the validity of the snipsalonsoftware.com certificate so that, when I try to verify the app.snipsalonsoftware.com, I know that I'm getting a meaningful answer.

This is a professionally signed certificate from Comodo by way of DreamHost, not a self-signed certificate. How can I verify the trust chain using openssl or some other method?

Here's what I get right now when I try:

$ openssl verify domain.pem 
domain.pem: /OU=Domain Control Validated/OU=Provided by New Dream Network, LLC/OU=DreamHost Basic SSL/CN=snipsalonsoftware.com
error 20 at 0 depth lookup:unable to get local issuer certificate

But to me it's like duh, of course you can't get the local certificate – there isn't one. I don't get how I'm supposed to verify a professionally-signed certificate.

Best Answer

Generally what this means is that OpenSSL's default CA path doesn't contain the certificate that signed the one you're checking - usually an intermediate certificate.

You'll need to get a copy of the intermediate (most CAs will provide, or you can fetch it from an SSL connection whose trust is working), and point at it in your openssl command with -CAfile intermediate.pem.

Related Solutions

Ssl – Why can’t openSSL verify google’s certificate

On another Linux distribution I use, the naked -connect verb doesn't actually import the root CA packages installed on the system. To get that, you need to add -CApath /etc/ssl/wherever/, where the path is the location of the root CA certificate bundles.

Without CAPath:

CONNECTED(00000003)
depth=1 C = ZA, O = Thawte Consulting (Pty) Ltd., CN = Thawte SGC CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com
   i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
 1 s:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
 ---

With CAPath:

CONNECTED(00000003)
depth=2 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification     Authority
verify return:1
depth=1 C = ZA, O = Thawte Consulting (Pty) Ltd., CN = Thawte SGC CA
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = mail.google.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com
   i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
 1 s:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
---

Ssl – How to manually authenticate a CA signed SSL certificate

I tend to like a quick pass with curl -Iv https://www.example.com. curl will dump out the relevant SSL bits (and will use the list of CAs it has on hand).

If you need to do more by hand, you can run openssl verify with the right options, specifically the -CApath option:

$ openssl verify --help
usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check] [-engine e] cert1 cert2 ...

My guess at your problem is that the server isn't publishing the intermediate certificate bundle. Look at https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR657 (or, more specifically, the email instructions from Verisign on how to install the certificate).

Related Topic