Verify pem certificate chain with openssl


Hey everyone,
I am trying to write a code which receives a pcap file as an input and returns invaid certificates from it.
I have parsed certificate chains, and i’m trying to verify them.
Because I get the certificates chains out of a pcap the chain length are not constant (sometimes they includes only 1 certificate that is selfsigned (and valid)).
Let cert0.pem be the servers certificate and certk.pem the root CAs certificate.
According to my research online I’m trying to verify the certificate as follows:

  1. Create a file certs.pem whitch contains the certificate chain in the order: certk.pem, certk-1.pem,… cert0.pem
  2. use the command (ca.pem is a file containing root certificates):
    openssl verify -CAfile ca.pem certs.pem

But sometimes the verification goes wrong even for valid certificates, as in the following output:

C = US, O = GeoTrust Inc., CN = GeoTrust Global CA 
error 20 at 0 depth lookup: unable to get local issuer certificate 
error certs.pem: verification failed 

please help me, how can I verify the certificate chain ?
Additionally is there a way to add a host name verification in the same line? (I have tried to add “-verify_hostname name” but again, the output was unexcpected).
Thank you !!


Is it possible that in this particular case you were trying to verify GeoTrust’s root certificate? Root certificates are self-signed and can’t be verified by reference to some other trusted cert.

To verify the host name, maybe you could look at the contents of the end-entity cert and see for yourself if the hostname matches? If you want to see the contents in a textual format, you can use openssl x509 -text -noout -in cert.pem or something similar.


Thank you for your reply, I’m trying to verify the complete chain as I have seen in the internet so i put the hole chain in a single pem file and Im trying to verify it. Am I doing something wrong ? in most cases it works properly, but in this case i get the attached output.


Which output is that?


I ment this output.

So if i get it right, I have to check the whole chain except of the root (against my local CAfile), and if the chain is of length of 1 ? Is it also possible to check it against the CA file somehow ? (sorry for the banch of questions, and my poor English… I’m trying to solve this problem for several days…)


Could you post the specific chain that led to this error when you tried to verify it?


certs.txt (5.2 KB)

please change the file extension to “.pem”, I couldn’t upload the file as it was


This verifies correctly for me with openssl verify.

You need to have a copy of the root CA C=US, O=Equifax, OU=Equifax Secure Certificate Authority. On my system this came in the ca-certificates package and is found within /etc/ssl/certs. My openssl verify is implicitly doing something like -CApath /etc/ssl/certs/ and hence is finding that root (and then the verification of the chain succeeds). I can reproduce the error you get by having some other -CApath that doesn’t contain the Equifax root (or, presumably, by deleting the Equifax root from my system entirely).


Thank you very much for your reply.
accourding to your answer I concluded that you are using Linux. I have just tried exactly the same operation in Ubuntu and it actually works !!
Because my code has to run in Windows environment, I have to solve the problem in windows, I have tried to copy the \etc\ssl\certs folder to my windows machine and use it as a CApath parameter but unfortunately the output stays the same ("error 20 at 0 depth lookup: unable to get local issuer certificate "). :frowning:
Do you have an idea what could still be the problem? Or what am i doing wrong ?
Again, thank you very much for your help !


When you copied them, did you preserve the symbolic link structure? I’m not sure, but it’s possible that OpenSSL specifically expects the symlinks to be symlinks. They are originally created with c_rehash.


I suggest searching elsewhere for terms like “openssl capath windows”. I don’t use Windows so I’m not exactly sure what you need to do!

claims that (from curl's point of view but related to OpenSSL) -CApath doesn’t actually work on Windows and that you should instead concatenate all of the root certificates into a single file and specify that file with -CAfile.

claims that -CApath does work on Windows but that you have to have the symbolic link structure in place (otherwise you need to have a single -CAfile).


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.