With the same url, this ends up giving a verify return code 20 (unable to get local issuer of certificate):
openssl s_client -connect $URL:443 -showcerts -CAfile /etc/ssl/certs/java/cacerts
This gives a verify return code of 0:
openssl s_client -connect $URL:443 -showcerts -CApath /etc/ssl/certs
As does ... -CAfile /etc/ssl/certs/Thawte_Premium_Server_CA.pem
.
But that cert is already in the java keystore. I need to be able to access the url from Java-land and I can't figure out what's going on. I'm a total n00b here so any help would be appreciated.
Best Answer
Tha cacerts file is a JKS-format keystore, which OpenSSL doesn't support (it's the standard keystore format for Java, but isn't commonly supported by non-Java utilities)
If you want to use
openssl s_client
with the certs from that keystore, you can extract them into a usable form with(the default password for the cacerts file is "changeit", but if you just want to see the public certs you can just enter a blank password and it will be fine)