openssl verify not working with GeoTrust Certificate

1
votes

I have a newly purchased GeoTrust domain certificate and a matching CA file and would like to verify with openssl.

openssl verify -verbose -purpose any 
-CAfile /full/path/sub.domain.com-geotrust.crt  /full/path/sub.domain.com.crt

From this page: https://secure.marumoto.us/motowiki/tiki-index.php?page=Verify+a+Certificate+Chain

The issuer of each certificate in the chain should match the subject of the next certificate in the chain. For example the issuer of myserver.mydomain.com.cert should match the subject of myintermediate_ca.cert, and the issuer of myintermediate_ca.cert should match the subject of myroot_ca.cert. You can use the following command to view a certificate in .pem or base64 format.

From 

openssl x509 -text -in sub.domain.crt and
openssl x509 -text -in sub.domain-geotrust.crt (CA root file)

sub.domain.com
Subject:    OU=GT44865949, 
            OU=See www.geotrust.com/resources/cps (c)15, 
            OU=Domain Control Validated - QuickSSL(R), 
            CN=sub.domain.com
Issuer:
            commonName                = GeoTrust DV SSL CA - G4
            organizationalUnitName    = Domain Validated SSL
            organizationName          = GeoTrust Inc.
            countryName               = US        

Intermediate:        
Subject:
            commonName                = GeoTrust DV SSL CA - G4
            organizationalUnitName    = Domain Validated SSL
            organizationName          = GeoTrust Inc.
            countryName               = US

Issuer:
            commonName                = GeoTrust Global CA
            organizationName          = GeoTrust Inc.
            countryName               = US

Root:
Subject:
            commonName                = GeoTrust Global CA
            organizationName          = GeoTrust Inc.
            countryName               = US
Issuer:
            organizationalUnitName    = Equifax Secure Certificate Authority
            organizationName          = Equifax
            countryName               = US

It appears my Issuer and Subject fields are matching up properly but I am getting the following error with openssl:

error 20 at 0 depth lookup:unable to get local issuer certificate /full/path/sub.domain.com.crt: /OU=GT44865949/OU=See www.geotrust.com/resources/cps (c)15/OU=Domain Control Validated - QuickSSL(R)/CN=sub.domain.com error 20 at 0 depth lookup:unable to get local issuer certificate

I'd like to use this and a similar GeoTrust certificate at a different subdomain to do two-way SSL authentication at a restful web url but the certs won't verify with 'openssl verify' against the CA files issued with them. Any suggestions much appreciated.

3
sslhttpsopenssl
Do you have the GeoTrust intermediate cert in your openssl CA store?RomanK
I have the sub.domain.crt file and a second file sub.domain.com-geotrust.crt. The second file contains two certificates in pem format. The first is the intermediate. The second is the root certificate. I just tried splitting the two certs into two separate files and using the -untrust parameter for the intermediate and still received the following error: /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA error 2 at 2 depth lookup:unable to get issuer certificatemba12
If I am passing a CA file as a parameter to openssl with -CAfile that contains the intermediate and root CA for my certificate does the intermediate and root CA also need to be added to the "store" location found with openssl version -d? My perception was no but I'll try that too. Thanks.mba12
Just to rule out the obvious - is the root CA self-signed? I'm not sure about GeoTrust, but many CA vendors tend to use multiple layers of intermediates, so would be good to ensure that the second cert is definitely a root one. Did you try supplying the CAdir parameter to openssl after splitting the certs?RomanK
Do you have the GeoTrust root CA in your CA dir? If the issue and subject for a cert are different, then it's not a root CA by definition. I just went to my Firefox cert store, found the root CA with the name GeoTrust Global CA and extracted it for you: filedropper.com/geotrustglobalca . Try renaming it to a .pem file in your CADir and see if the verification succeeds.RomanK

3 Answers

1
votes

As per discussion, it is a matter of allowing openssl to see the entire validation chain: with both GeoTrust CA intermediates and the root.

openssl should be run with CADir parameter containing all the 3 CAs in PEM format. The actual root for GeoTrust can either be extracted from your favourite browser, or here: filedropper.com/geotrustglobalca.

When you configure your actual server, just make sure that you send the intermediates on the Server Hello, some sites don't do that and break clients that do not have the intermediates cached.

1
votes

Following on from RomanK's answer, you can get the GeoTrust Global CA from their root certificate store. They have a number of primary/universal/global certificates listed there, so make sure to get the right one for your intermediate certificate.

1
votes

As per the chain display, the root certificate is not self signed . Its shows its issued by Equifax. Openssl will continue giving the error "local issuer certificate not found" till it gets a self signed root certificate. When it comes across a root self signed then it's able to verify the certificate chain as complete.