I can not verify the certificate by openssl
openssl verify cert.pem
Gets something like this:
cert.pem: / C = PL / O = DATA
error 20 at 0 depth lookup: unable to get local issuer certificate
The same cert from the machine on Centos - verified correctly.
Debian: squeeze / sid
Is it a problem with the CA ROOT? Update openssl help?
Unlike browsers, which trust nearly everything from anybody, OpenSSL trusts nothing by default.
Its up to you to determine what should be trusted. You will have to specify something when using OpenSSL. It may be a cert or list of certs to trust.
The directory /etc/ssl/certs contains many certs. Using such directory should allow to verify almost anything:
openssl verify -CApath /etc/ssl/certs cert.pem
It is recommended that you reduce the number of trusted certs to one, two or the minimum possible.
You need to specify the CA cert in order to verify the issued cert since it's obviously not included in the pem (though this would be possible):
openssl verify -CAfile your_ca_cert_file cert.pem
If you do not get the error on centOS then there's the CA cert around and openssl can use it to successfully verify cert.pem
You need to make your CA trusted on the server. For example, if your cert is from goadday, run the following commands.
cd /tmp
sudo wget -O gd_intermediate.crt https://certs.godaddy.com/repository/gd_intermediate.crt
sudo cp /tmp/gd_intermediate.crt /usr/local/share/ca-certificates/gd_intermediate.crt
sudo update-ca-certificates
After running these commands, your certificate should be verified.
openssl verify cert.pem
