I have two SSL certificates:
- One for
snipsalonsoftware.com
which is currently in place and working properly. - One for
app.snipsalonsoftware.com
which has been purchased but not yet installed.
What I'm trying to do right now is simply verify the validity of the snipsalonsoftware.com
certificate so that, when I try to verify the app.snipsalonsoftware.com
, I know that I'm getting a meaningful answer.
This is a professionally signed certificate from Comodo by way of DreamHost, not a self-signed certificate. How can I verify the trust chain using openssl
or some other method?
Here's what I get right now when I try:
$ openssl verify domain.pem
domain.pem: /OU=Domain Control Validated/OU=Provided by New Dream Network, LLC/OU=DreamHost Basic SSL/CN=snipsalonsoftware.com
error 20 at 0 depth lookup:unable to get local issuer certificate
But to me it's like duh, of course you can't get the local certificate – there isn't one. I don't get how I'm supposed to verify a professionally-signed certificate.
Best Answer
Generally what this means is that OpenSSL's default CA path doesn't contain the certificate that signed the one you're checking - usually an intermediate certificate.
You'll need to get a copy of the intermediate (most CAs will provide, or you can fetch it from an SSL connection whose trust is working), and point at it in your
openssl
command with-CAfile intermediate.pem
.