openssl verify throwing unexpected error 24.
by zaxonus from LinuxQuestions.org on (#5CDJD)
I am trying to follow a solution in this post to understand some problem that I have with openssl. But though it mostly works, I have an error at the end.
Note that the errors on the first two commands (at the end) are expected, only the last one is a problem. According to the post the last command should work.
If someone could tell me what is wrong, that would be very helpful.
Following is the sequence of relevant commands. The "ls" are only here to follow what is happening.
Code:...$ openssl req -newkey rsa:4096 -nodes -keyout ca-key.pem -sha384 -x509 -days 365 -out ca-crt.pem -subj /C=XX/ST=YY/O=RootCA
Generating a RSA private key
.........................................++++
.........................................................................................................++++
writing new private key to 'ca-key.pem'
-----
...$ ls
ca-crt.pem ca-key.pem
...$ openssl req -newkey rsa:3072 -nodes -keyout int-key.pem -new -sha384 -out int-csr.pem -subj /C=XX/ST=YY/O=IntermediateCA
Generating a RSA private key
........................++++
.......++++
writing new private key to 'int-key.pem'
-----
...$ ls
ca-crt.pem ca-key.pem int-csr.pem int-key.pem
...$ openssl x509 -req -days 360 -in int-csr.pem -CA ca-crt.pem -CAkey ca-key.pem -CAcreateserial -out int-crt.pem
Signature ok
subject=C = XX, ST = YY, O = IntermediateCA
Getting CA Private Key
...$ ls
ca-crt.pem ca-crt.srl ca-key.pem int-crt.pem int-csr.pem int-key.pem
...$
...$ openssl req -newkey rsa:2048 -nodes -keyout usr-key.pem -new -sha256 -out usr-csr.pem -subj /C=XX/ST=YY/O=LockCmpXchg8b
Generating a RSA private key
................+++++
................................................................................+++++
writing new private key to 'usr-key.pem'
-----
...$ ls
ca-crt.pem ca-crt.srl ca-key.pem int-crt.pem int-csr.pem int-key.pem usr-csr.pem usr-key.pem
...$ openssl x509 -req -days 360 -in usr-csr.pem -CA int-crt.pem -CAkey int-key.pem -CAcreateserial -out usr-crt.pem
Signature ok
subject=C = XX, ST = YY, O = LockCmpXchg8b
Getting CA Private Key
...$ ls
ca-crt.pem ca-crt.srl ca-key.pem int-crt.pem int-crt.srl int-csr.pem int-key.pem usr-crt.pem usr-csr.pem usr-key.pem
...$
...$ cat ca-crt.pem int-crt.pem > chain.pem
...$ ls
ca-crt.pem ca-crt.srl ca-key.pem chain.pem int-crt.pem int-crt.srl int-csr.pem int-key.pem usr-crt.pem usr-csr.pem usr-key.pem
...$
...$ openssl verify -CAfile ca-crt.pem usr-crt.pem
C = XX, ST = YY, O = LockCmpXchg8b
error 20 at 0 depth lookup: unable to get local issuer certificate
error usr-crt.pem: verification failed
...$ openssl verify -CAfile int-crt.pem usr-crt.pem
C = XX, ST = YY, O = IntermediateCA
error 2 at 1 depth lookup: unable to get issuer certificate
error usr-crt.pem: verification failed
...$ openssl verify -CAfile chain.pem usr-crt.pem
C = XX, ST = YY, O = IntermediateCA
error 24 at 1 depth lookup: invalid CA certificate
error usr-crt.pem: verification failed
...$
Note that the errors on the first two commands (at the end) are expected, only the last one is a problem. According to the post the last command should work.
If someone could tell me what is wrong, that would be very helpful.
Following is the sequence of relevant commands. The "ls" are only here to follow what is happening.
Code:...$ openssl req -newkey rsa:4096 -nodes -keyout ca-key.pem -sha384 -x509 -days 365 -out ca-crt.pem -subj /C=XX/ST=YY/O=RootCA
Generating a RSA private key
.........................................++++
.........................................................................................................++++
writing new private key to 'ca-key.pem'
-----
...$ ls
ca-crt.pem ca-key.pem
...$ openssl req -newkey rsa:3072 -nodes -keyout int-key.pem -new -sha384 -out int-csr.pem -subj /C=XX/ST=YY/O=IntermediateCA
Generating a RSA private key
........................++++
.......++++
writing new private key to 'int-key.pem'
-----
...$ ls
ca-crt.pem ca-key.pem int-csr.pem int-key.pem
...$ openssl x509 -req -days 360 -in int-csr.pem -CA ca-crt.pem -CAkey ca-key.pem -CAcreateserial -out int-crt.pem
Signature ok
subject=C = XX, ST = YY, O = IntermediateCA
Getting CA Private Key
...$ ls
ca-crt.pem ca-crt.srl ca-key.pem int-crt.pem int-csr.pem int-key.pem
...$
...$ openssl req -newkey rsa:2048 -nodes -keyout usr-key.pem -new -sha256 -out usr-csr.pem -subj /C=XX/ST=YY/O=LockCmpXchg8b
Generating a RSA private key
................+++++
................................................................................+++++
writing new private key to 'usr-key.pem'
-----
...$ ls
ca-crt.pem ca-crt.srl ca-key.pem int-crt.pem int-csr.pem int-key.pem usr-csr.pem usr-key.pem
...$ openssl x509 -req -days 360 -in usr-csr.pem -CA int-crt.pem -CAkey int-key.pem -CAcreateserial -out usr-crt.pem
Signature ok
subject=C = XX, ST = YY, O = LockCmpXchg8b
Getting CA Private Key
...$ ls
ca-crt.pem ca-crt.srl ca-key.pem int-crt.pem int-crt.srl int-csr.pem int-key.pem usr-crt.pem usr-csr.pem usr-key.pem
...$
...$ cat ca-crt.pem int-crt.pem > chain.pem
...$ ls
ca-crt.pem ca-crt.srl ca-key.pem chain.pem int-crt.pem int-crt.srl int-csr.pem int-key.pem usr-crt.pem usr-csr.pem usr-key.pem
...$
...$ openssl verify -CAfile ca-crt.pem usr-crt.pem
C = XX, ST = YY, O = LockCmpXchg8b
error 20 at 0 depth lookup: unable to get local issuer certificate
error usr-crt.pem: verification failed
...$ openssl verify -CAfile int-crt.pem usr-crt.pem
C = XX, ST = YY, O = IntermediateCA
error 2 at 1 depth lookup: unable to get issuer certificate
error usr-crt.pem: verification failed
...$ openssl verify -CAfile chain.pem usr-crt.pem
C = XX, ST = YY, O = IntermediateCA
error 24 at 1 depth lookup: invalid CA certificate
error usr-crt.pem: verification failed
...$