That error is because openssl.exe wants you to tell it where to get root CA certs. You can specify the path to that file with the CAfile command line argument (Case sensitive: Large CA, small file.): -CAfile arg - PEM format file of CA'sĪnd one easy way to get such a PEM bundle is to download it from the testssl.sh site: Īnd this will then work with a Windows installation of OpenSSL: c:\> openssl s_client -connect :443 -CAfile "c:\Microsoft.pem" Single file: All CA certificates lumped together in a PEM bundle.You can specify the path to that folder with the CApath command line argument (Case sensitive: Large CA, small path.): -CApath arg - PEM format directory of CA's More info: man page for openssl verify.) If you want to add a cert, you just drop the file in the directory and run a script that creates the symlink for you. (This is so that OpenSSL can understand the cert store. They are named for a hash value of the certificate file. And the symlinks have weird names like 01c34cfa. (This is so that humans can understand the cert store.) And then a symlink to each such file. One file per certificate with regular names like Verisign-CA.pem. Many files: In a special folder structure.Instead OpenSSL expects its CAs in one of two ways: You can not use the Windows certificate store directly with OpenSSL. However, I still get the same result so I'm not so sure if I understand this correctly. Then the ca path parameter goes like this one below. I'm not too familiar with unix so I assume if my CA are in C:\OpenSSL-Win64\bin\cas The only problem I have is that most online example are using unix based systems so the examples are usually like the one just above. These are also used when building the client certificate chain. This directory must be in "hash format", see verify for more information. The directory to use for server certificate verification. Verify error:num=21:unable to verify the first certificateĪfter a few search I realize that I need to specify the path for the trusted root ca. Verify error:num=20:unable to get local issuer certificate I'm new to using OpenSSL and currently using it in Windows trying to troubleshoot for the party connecting to our server.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |