(Disclaimer: Checked all the openssl related topics, no success).
OpenSSL version: OpenSSL 1.1.1s 1 Nov 2022
I'm trying to generate the chain of certificates, root -> intermediate -> user1,user2,user4 but OpenSSL complains in the verification step of the user certificate with root certificate.
My batch script, which generated 3 certificates, and signs then with previous one is:
@echo OFF
:: Generate root certificate and self sign it
echo "generate root CA"
openssl genrsa -out rootCA.key 4096
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt -subj "/C=US/ST=CA/O=MyOrg, Inc./CN=root"
:: Intermediate certificate, signed with root CA
echo "generate intermediate CA"
openssl genrsa -out intermediate.key 2048
openssl req -new -sha256 -key intermediate.key -subj "/C=US/ST=CA/O=MyOrg, Inc./CN=intermediate" -out intermediate.csr
openssl x509 -req -in intermediate.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out intermediate.crt -days 500 -sha256 -extensions v3_ca -extfile x509-extensions.cnf
:: User 1 certificate, signed by intermediate certificate
echo "generate user1 CA"
openssl genrsa -out user1.key 2048
openssl req -new -sha256 -key user1.key -subj "/C=US/ST=CA/O=MyOrg, Inc./CN=user1" -out user1.csr -out user1.csr
openssl x509 -req -in user1.csr -CA intermediate.crt -CAkey intermediate.key -CAcreateserial -out user1.crt -days 500 -sha256 -extensions v3_ca -extfile x509-extensions.cnf
:: Print
echo "print certificates"
openssl x509 -in rootCA.crt -text
openssl x509 -in intermediate.crt -text
openssl x509 -in user1.crt -text
:: Verify user 1 certificate trust chain w/o untrusted mode
openssl verify -verbose -CAfile rootca.crt intermediate.crt
openssl verify -verbose -CAfile rootca.crt user1.crt
openssl verify -verbose -CAfile rootca.crt intermediate.crt user1.crt
openssl verify -verbose -CAfile intermediate.crt user1.crt
My extensions file:
# ssl-extensions-x509.cnf
[v3_ca]
basicConstraints = CA:TRUE #Tried FALSE too
keyUsage = digitalSignature, keyEncipherment
subjectAltName = IP:127.0.0.1, IP:192.168.73.120, IP:192.168.73.121
Why I cannot verify rootCA -> intermediate -> user?.
# This is OK
openssl verify -verbose -CAfile rootca.crt intermediate.crt
# This is NOK - verification fails, which is expected
openssl verify -verbose -CAfile rootca.crt user1.crt
# This is OK only between root and intermediate, not down to user
openssl verify -verbose -CAfile rootca.crt intermediate.crt user1.crt
# This is NOK - verification fails
openssl verify -verbose -CAfile intermediate.crt user1.crt
Output (example of generated data):
"generate root CA"
Generating RSA private key, 4096 bit long modulus (2 primes)
.................................................................++++
.................................................................................................................................................................................++++
e is 65537 (0x010001)
"generate intermediate CA"
Generating RSA private key, 2048 bit long modulus (2 primes)
..+++++
.....+++++
e is 65537 (0x010001)
Signature ok
subject=C = US, ST = CA, O = "MyOrg, Inc.", CN = intermediate
Getting CA Private Key
"generate user1 CA"
Generating RSA private key, 2048 bit long modulus (2 primes)
..................................................................................+++++
................................+++++
e is 65537 (0x010001)
Signature ok
subject=C = US, ST = CA, O = "MyOrg, Inc.", CN = user1
Getting CA Private Key
"print certificates"
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:90:a9:60:17:a7:c5:6e:44:d2:a7:ba:c2:ab:17:87:fe:eb:11:5b
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = CA, O = "MyOrg, Inc.", CN = root
Validity
Not Before: Nov 16 17:01:56 2023 GMT
Not After : Sep 5 17:01:56 2026 GMT
Subject: C = US, ST = CA, O = "MyOrg, Inc.", CN = root
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
00:cd:5e:40:08:6c:e2:e7:17:a6:30:e1:d6:5c:e2:
bf:76:51:04:aa:6a:c0:b8:4b:b4:76:4b:22:d2:4b:
7d:b4:49:89:a3:80:2f:12:fe:f6:6d:6a:39:7f:49:
b8:4e:df:18:a5:1d:1e:9f:7b:3a:64:1d:0e:32:0e:
9b:c2:ce:5f:fe:a7:41:a0:b5:f1:d0:98:1f:ae:88:
fe:4f:1a:f9:cd:af:50:8f:c4:3f:2e:5b:07:53:4a:
8e:cf:2c:8a:77:76:76:f4:c9:83:ef:80:0f:68:9f:
29:8c:e7:57:e3:75:31:67:32:e0:91:fd:11:43:7e:
5e:5c:c1:d5:27:9c:6b:20:26:12:97:6f:77:4a:13:
28:4b:0c:60:01:9a:d6:b4:d9:59:15:74:1a:3c:3f:
8d:d0:f7:1a:56:64:ae:04:40:f6:98:e6:28:ae:d2:
7c:96:18:29:9b:d6:d8:35:4f:a6:4e:54:8c:ed:9e:
c4:7e:94:3e:24:2f:a9:f3:93:d2:5a:8f:80:58:41:
f6:8d:6e:6e:0a:59:dc:90:fd:c2:e6:82:a6:5d:35:
78:30:2e:4a:ea:00:4f:26:20:7b:67:67:0a:b5:17:
44:97:97:7b:13:2f:64:b0:d2:d5:33:e2:0a:42:71:
28:a1:17:b0:04:ff:60:93:3a:da:53:33:ab:82:fd:
70:43:a7:6f:e3:0d:a2:a4:12:32:ce:8e:46:6a:13:
e3:68:15:d3:8a:6c:0c:ca:4c:d5:31:84:76:8d:ad:
57:e9:c6:28:d5:23:38:b5:ad:91:37:fe:4f:15:c5:
bb:9f:b8:df:f4:78:37:86:5d:6a:2a:09:0d:93:24:
fa:e2:16:80:14:8e:18:14:62:4e:43:7b:20:e2:66:
b3:95:8a:99:a9:e3:a6:18:3c:8f:bd:23:da:02:4e:
56:f9:ce:2d:6d:54:6a:c8:15:0a:44:1d:5b:b4:0c:
d4:b5:58:aa:16:94:19:08:dc:9f:61:1b:f9:63:6a:
87:07:c5:81:a0:c3:44:ee:7a:34:70:a7:b8:a1:3f:
83:ce:a5:71:43:05:6d:80:15:63:6d:2c:ea:b8:54:
14:86:2f:21:1a:42:26:55:99:d7:43:59:dc:45:b0:
25:4d:7b:bb:c6:47:39:0b:0c:0e:fe:5d:3a:6d:7e:
95:0d:c6:93:78:1c:82:34:f8:4c:0f:07:f3:d0:a0:
79:e8:42:c0:fb:d3:2f:9b:76:8b:b5:8d:de:cc:b3:
7d:af:a2:4b:9a:9a:7b:86:fb:a9:b4:c6:93:99:40:
e9:f5:a9:74:27:23:11:36:f0:fa:ef:a6:5a:1f:aa:
9b:70:29:43:c0:f7:23:71:c4:fa:52:13:dd:93:7b:
90:57:9b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
C3:D7:2B:CE:03:16:B7:7C:A1:3A:58:04:70:57:CD:72:CC:1C:B2:AC
X509v3 Authority Key Identifier:
keyid:C3:D7:2B:CE:03:16:B7:7C:A1:3A:58:04:70:57:CD:72:CC:1C:B2:AC
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
bc:44:d5:8f:d5:4f:d8:d6:96:14:f5:ed:be:36:19:96:22:ae:
40:d2:38:ef:6f:a9:54:00:02:c1:31:b3:7a:cd:1e:0b:06:df:
85:56:10:fc:fd:39:19:f8:8c:7f:ce:06:11:de:51:3a:8b:31:
73:e8:8d:b9:bd:a1:a5:84:33:84:c8:44:48:53:f9:fe:28:69:
62:d0:07:fc:43:11:cf:dc:f6:90:c2:db:15:fc:b7:0a:2c:c4:
9c:ad:b3:fd:db:6f:1a:56:ca:ef:70:db:92:2f:27:e9:b5:ce:
66:43:16:a0:da:18:96:2e:ef:90:78:51:b4:33:87:65:b5:99:
59:28:08:f4:3b:47:d3:3b:f0:f3:e0:41:6b:0b:ae:a0:67:f1:
99:56:b1:98:f0:92:20:f1:08:d0:58:db:97:a5:de:c6:1c:26:
44:1e:aa:c0:c8:69:c1:bf:c3:75:14:01:76:a1:f6:a7:84:8e:
d7:e6:69:8f:fa:3b:d5:f0:2d:98:12:d9:92:5e:82:9c:11:4b:
7c:36:ed:6a:0f:db:c6:21:40:9b:dc:61:8b:04:f5:68:ec:41:
f6:93:04:20:cb:a5:5f:3f:ea:71:00:dc:7e:47:07:0f:c3:f1:
4b:05:99:a9:95:57:5f:a3:75:4f:32:e1:b4:b8:66:91:3f:35:
d3:08:dc:4d:40:51:2b:2e:2c:04:e5:e5:33:8b:e6:82:50:1c:
aa:8d:89:62:e7:34:bd:c3:c5:fa:ee:be:55:7d:e6:e0:d0:35:
2e:5c:44:1c:35:b8:97:41:8d:e9:eb:83:60:fa:cb:6d:ed:c3:
8e:38:75:a6:f3:72:de:71:a8:85:47:09:31:92:22:cd:2a:ce:
27:f4:cd:f4:f6:15:f4:4b:12:6f:ea:8f:d3:fc:14:8d:fd:2f:
b9:a6:20:ea:2a:c1:75:b6:6a:db:2b:53:ee:88:99:ee:4a:cf:
c6:75:42:45:7a:e8:1f:ba:e9:6f:27:62:5c:6f:64:52:23:9e:
91:5a:4d:e8:82:00:ff:6b:cb:d8:5b:c9:e1:ec:4a:6c:d8:dc:
6a:95:64:de:30:b0:30:88:3e:ec:5c:fd:5b:ab:5b:d6:f2:bc:
3d:4d:58:07:11:6e:a6:d3:67:b3:a0:2c:e3:a9:1e:72:46:35:
3d:dd:c3:c6:d8:59:fd:c5:a2:03:a7:f3:71:c3:3b:72:48:81:
a1:e4:48:b9:42:22:60:91:ca:b2:a7:b9:c9:ac:a9:8e:01:16:
99:ca:aa:89:90:54:a4:97:87:f4:11:88:0d:db:76:8a:d8:29:
b9:8e:b2:c5:98:19:e3:d8:13:e6:f0:5c:50:6c:cd:85:ae:38:
79:1f:e9:47:1a:7b:1d:52
-----BEGIN CERTIFICATE-----
MIIFXzCCA0egAwIBAgIUA5CpYBenxW5E0qe6wqsXh/7rEVswDQYJKoZIhvcNAQEL
BQAwPzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRQwEgYDVQQKDAtNeU9yZywg
SW5jLjENMAsGA1UEAwwEcm9vdDAeFw0yMzExMTYxNzAxNTZaFw0yNjA5MDUxNzAx
NTZaMD8xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEUMBIGA1UECgwLTXlPcmcs
IEluYy4xDTALBgNVBAMMBHJvb3QwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
AoICAQDNXkAIbOLnF6Yw4dZc4r92UQSqasC4S7R2SyLSS320SYmjgC8S/vZtajl/
SbhO3xilHR6fezpkHQ4yDpvCzl/+p0GgtfHQmB+uiP5PGvnNr1CPxD8uWwdTSo7P
LIp3dnb0yYPvgA9onymM51fjdTFnMuCR/RFDfl5cwdUnnGsgJhKXb3dKEyhLDGAB
mta02VkVdBo8P43Q9xpWZK4EQPaY5iiu0nyWGCmb1tg1T6ZOVIztnsR+lD4kL6nz
k9Jaj4BYQfaNbm4KWdyQ/cLmgqZdNXgwLkrqAE8mIHtnZwq1F0SXl3sTL2Sw0tUz
4gpCcSihF7AE/2CTOtpTM6uC/XBDp2/jDaKkEjLOjkZqE+NoFdOKbAzKTNUxhHaN
rVfpxijVIzi1rZE3/k8VxbufuN/0eDeGXWoqCQ2TJPriFoAUjhgUYk5DeyDiZrOV
ipmp46YYPI+9I9oCTlb5zi1tVGrIFQpEHVu0DNS1WKoWlBkI3J9hG/ljaocHxYGg
w0TuejRwp7ihP4POpXFDBW2AFWNtLOq4VBSGLyEaQiZVmddDWdxFsCVNe7vGRzkL
DA7+XTptfpUNxpN4HII0+EwPB/PQoHnoQsD70y+bdou1jd7Ms32vokuamnuG+6m0
xpOZQOn1qXQnIxE28PrvplofqptwKUPA9yNxxPpSE92Te5BXmwIDAQABo1MwUTAd
BgNVHQ4EFgQUw9crzgMWt3yhOlgEcFfNcswcsqwwHwYDVR0jBBgwFoAUw9crzgMW
t3yhOlgEcFfNcswcsqwwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
AgEAvETVj9VP2NaWFPXtvjYZliKuQNI472+pVAACwTGzes0eCwbfhVYQ/P05GfiM
f84GEd5ROosxc+iNub2hpYQzhMhESFP5/ihpYtAH/EMRz9z2kMLbFfy3CizEnK2z
/dtvGlbK73Dbki8n6bXOZkMWoNoYli7vkHhRtDOHZbWZWSgI9DtH0zvw8+BBawuu
oGfxmVaxmPCSIPEI0Fjbl6XexhwmRB6qwMhpwb/DdRQBdqH2p4SO1+Zpj/o71fAt
mBLZkl6CnBFLfDbtag/bxiFAm9xhiwT1aOxB9pMEIMulXz/qcQDcfkcHD8PxSwWZ
qZVXX6N1TzLhtLhmkT810wjcTUBRKy4sBOXlM4vmglAcqo2JYuc0vcPF+u6+VX3m
4NA1LlxEHDW4l0GN6euDYPrLbe3Djjh1pvNy3nGohUcJMZIizSrOJ/TN9PYV9EsS
b+qP0/wUjf0vuaYg6irBdbZq2ytT7oiZ7krPxnVCRXroH7rpbydiXG9kUiOekVpN
6IIA/2vL2FvJ4exKbNjcapVk3jCwMIg+7Fz9W6tb1vK8PU1YBxFuptNns6As46ke
ckY1Pd3DxthZ/cWiA6fzccM7ckiBoeRIuUIiYJHKsqe5yaypjgEWmcqqiZBUpJeH
9BGIDdt2itgpuY6yxZgZ49gT5vBcUGzNha44eR/pRxp7HVI=
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
02:bd:8a:3e:42:2a:a5:47:81:c9:13:41:3b:7f:e1:a3:43:1b:53:9e
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = CA, O = "MyOrg, Inc.", CN = root
Validity
Not Before: Nov 16 17:01:56 2023 GMT
Not After : Mar 30 17:01:56 2025 GMT
Subject: C = US, ST = CA, O = "MyOrg, Inc.", CN = intermediate
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:e8:ab:17:c5:80:c8:8a:c9:1d:b8:24:9b:4c:6e:
b1:36:a6:ca:7c:d8:77:99:d8:cc:86:92:f2:55:86:
6b:88:45:47:63:bd:6c:fc:68:6b:f0:d7:9d:3a:58:
fd:51:46:9f:f8:42:dd:b2:c4:ed:d0:b5:24:fc:06:
32:11:14:ac:34:06:8e:b2:7a:11:b9:66:14:93:f2:
79:ba:f7:56:27:84:51:b8:61:95:80:48:cf:48:55:
2a:80:5b:85:1c:dd:74:2c:9c:87:0e:aa:4e:7b:2f:
4f:eb:93:a8:93:7d:56:14:a3:79:7f:31:a7:cf:f4:
6b:1a:c7:f2:01:ba:2e:62:68:db:83:7e:4d:83:9b:
42:7b:1d:c2:21:dd:09:c5:d4:51:8a:76:4b:6d:1a:
e2:a9:bf:41:d3:65:e0:54:a2:02:5e:0f:83:e2:63:
dc:20:0b:93:2c:82:2f:b0:e9:44:c5:54:b4:c9:a4:
c6:d4:25:eb:fd:22:25:88:a8:5f:73:ef:1e:3d:ce:
4d:36:83:4c:36:46:03:fe:f9:49:1e:e4:24:b5:a6:
7d:ee:1f:5d:94:44:2c:b7:ef:b3:72:b1:35:1e:0a:
5f:1a:8a:74:57:bb:5a:f7:7a:53:19:68:03:4e:fb:
b0:fb:4f:48:ba:94:8f:20:69:5f:17:33:f2:42:ec:
1e:ab
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Subject Alternative Name:
IP Address:127.0.0.1, IP Address:192.168.73.120, IP Address:192.168.73.121
Signature Algorithm: sha256WithRSAEncryption
af:9e:95:5d:b1:d1:28:fd:be:7a:3a:ec:9f:92:76:d7:43:91:
21:9d:d5:a8:dc:ac:ea:dd:96:f4:63:75:ab:74:51:26:55:7c:
d3:97:61:7c:6a:72:f7:5d:a4:46:79:13:92:c6:df:69:a4:f0:
d3:52:b2:a3:50:0c:9c:16:06:2d:4a:15:87:43:98:73:1c:1f:
cf:28:20:f8:d4:37:77:ea:96:55:32:85:22:f4:56:de:b7:f5:
da:a9:4e:52:3e:4a:41:7e:37:d2:a1:01:b1:3c:29:74:83:9f:
9d:64:48:b8:4e:60:1f:8c:7e:b2:8c:1e:df:34:d8:26:75:36:
ce:2d:cc:07:3b:6f:81:78:be:e0:ed:57:62:3e:cb:04:b6:44:
6e:f8:65:d9:33:28:46:02:68:21:56:a4:14:9b:ef:74:a2:69:
3d:b9:dd:38:9a:28:c7:8a:4f:ab:2a:70:f2:99:22:88:5d:ac:
90:c2:47:c8:ee:6e:e6:dd:69:98:92:59:93:e7:29:21:88:78:
88:a4:c3:2e:ba:27:7d:93:96:a5:53:22:81:40:87:42:fb:71:
f6:58:8d:1d:d2:48:8f:b4:b4:bd:17:42:76:a1:aa:44:a7:44:
bb:17:d4:bd:13:9f:f2:c8:eb:8c:c6:ac:06:2c:5b:c2:8a:a8:
6f:f1:5d:ee:56:dc:8a:1a:65:0c:a7:f3:20:10:48:cf:7e:bc:
05:09:71:ee:94:3a:80:c4:d3:ce:24:8c:e9:61:df:3d:3d:0f:
c7:f5:4f:21:fe:46:34:a8:c9:c4:2f:5b:fd:be:15:ce:74:e4:
be:b5:2a:1b:27:06:4b:87:e2:5a:cf:f9:af:0c:87:c1:8f:49:
38:bd:e8:78:77:c0:33:a3:f7:28:18:ef:df:f1:ee:d1:bb:7d:
66:50:ce:da:2b:ae:23:9d:4d:76:ee:b6:47:c8:96:08:45:04:
37:5d:05:f9:22:3d:d9:13:26:d8:18:57:d2:1d:17:b7:1b:22:
ca:92:6f:23:7d:ab:d0:c8:32:e9:82:d4:56:11:5b:26:d4:03:
ec:fd:6f:54:8f:36:31:20:ed:d3:c1:23:ce:78:c6:32:80:9f:
c5:30:9a:92:d3:ee:07:59:54:cd:3b:02:6f:58:5d:e7:61:5e:
60:55:e8:7b:33:d6:aa:32:72:ea:0d:79:94:a9:b7:80:5b:02:
21:36:29:1a:60:11:8a:41:3d:89:86:c3:f6:89:c6:2e:07:67:
55:1a:ed:f7:b6:bd:90:80:85:e5:3f:b2:95:71:23:df:17:53:
67:5a:94:30:ea:85:7a:fa:28:61:7b:e0:c1:a6:25:d7:d2:4a:
c6:dd:52:74:5e:64:8b:0c
-----BEGIN CERTIFICATE-----
MIIETjCCAjagAwIBAgIUAr2KPkIqpUeByRNBO3/ho0MbU54wDQYJKoZIhvcNAQEL
BQAwPzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRQwEgYDVQQKDAtNeU9yZywg
SW5jLjENMAsGA1UEAwwEcm9vdDAeFw0yMzExMTYxNzAxNTZaFw0yNTAzMzAxNzAx
NTZaMEcxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEUMBIGA1UECgwLTXlPcmcs
IEluYy4xFTATBgNVBAMMDGludGVybWVkaWF0ZTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAOirF8WAyIrJHbgkm0xusTamynzYd5nYzIaS8lWGa4hFR2O9
bPxoa/DXnTpY/VFGn/hC3bLE7dC1JPwGMhEUrDQGjrJ6EblmFJPyebr3VieEUbhh
lYBIz0hVKoBbhRzddCychw6qTnsvT+uTqJN9VhSjeX8xp8/0axrH8gG6LmJo24N+
TYObQnsdwiHdCcXUUYp2S20a4qm/QdNl4FSiAl4Pg+Jj3CALkyyCL7DpRMVUtMmk
xtQl6/0iJYioX3PvHj3OTTaDTDZGA/75SR7kJLWmfe4fXZRELLfvs3KxNR4KXxqK
dFe7Wvd6UxloA077sPtPSLqUjyBpXxcz8kLsHqsCAwEAAaM6MDgwDAYDVR0TBAUw
AwEB/zALBgNVHQ8EBAMCBaAwGwYDVR0RBBQwEocEfwAAAYcEwKhJeIcEwKhJeTAN
BgkqhkiG9w0BAQsFAAOCAgEAr56VXbHRKP2+ejrsn5J210ORIZ3VqNys6t2W9GN1
q3RRJlV805dhfGpy912kRnkTksbfaaTw01Kyo1AMnBYGLUoVh0OYcxwfzygg+NQ3
d+qWVTKFIvRW3rf12qlOUj5KQX430qEBsTwpdIOfnWRIuE5gH4x+sowe3zTYJnU2
zi3MBztvgXi+4O1XYj7LBLZEbvhl2TMoRgJoIVakFJvvdKJpPbndOJoox4pPqypw
8pkiiF2skMJHyO5u5t1pmJJZk+cpIYh4iKTDLronfZOWpVMigUCHQvtx9liNHdJI
j7S0vRdCdqGqRKdEuxfUvROf8sjrjMasBixbwoqob/Fd7lbcihplDKfzIBBIz368
BQlx7pQ6gMTTziSM6WHfPT0Px/VPIf5GNKjJxC9b/b4VznTkvrUqGycGS4fiWs/5
rwyHwY9JOL3oeHfAM6P3KBjv3/Hu0bt9ZlDO2iuuI51Ndu62R8iWCEUEN10F+SI9
2RMm2BhX0h0XtxsiypJvI32r0Mgy6YLUVhFbJtQD7P1vVI82MSDt08EjznjGMoCf
xTCaktPuB1lUzTsCb1hd52FeYFXoezPWqjJy6g15lKm3gFsCITYpGmARikE9iYbD
9onGLgdnVRrt97a9kICF5T+ylXEj3xdTZ1qUMOqFevooYXvgwaYl19JKxt1SdF5k
iww=
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
22:f2:9a:dd:db:78:77:07:f7:66:68:4e:18:c0:fd:23:8e:95:e1:75
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = CA, O = "MyOrg, Inc.", CN = intermediate
Validity
Not Before: Nov 16 17:01:56 2023 GMT
Not After : Mar 30 17:01:56 2025 GMT
Subject: C = US, ST = CA, O = "MyOrg, Inc.", CN = user1
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:b3:f2:c0:e2:62:e6:e0:bd:31:90:fc:64:63:0e:
b4:9e:96:23:71:f2:f9:56:33:4b:b2:b8:a3:06:de:
74:66:c2:a7:ba:5a:24:3b:3a:4c:df:a8:93:57:c2:
5c:32:d1:66:c5:bf:95:cc:10:39:9f:61:8b:27:2c:
e8:47:39:b5:68:33:b6:0e:02:24:25:94:35:ae:48:
fe:8f:79:2c:0a:11:a6:8f:27:29:48:1b:26:59:61:
ec:df:03:98:43:a2:3c:3e:99:2a:fb:8f:71:56:f5:
1e:75:46:ad:5f:65:5c:59:4d:af:26:3b:b4:ab:ca:
4a:b8:ff:34:70:f3:f8:26:83:63:2b:7a:99:e5:0b:
30:c0:61:c0:81:43:f1:94:eb:26:44:40:be:99:fd:
ae:3b:4b:22:d5:7c:5e:2a:34:ff:3b:8b:c0:88:12:
ba:24:3a:d3:f8:31:03:43:1b:2a:e5:94:67:63:c1:
c3:a0:7c:a9:fc:d1:d6:ec:0c:ca:db:2d:ff:0a:6a:
da:77:6a:00:58:3e:c2:e1:6f:dd:dd:2c:ee:b0:f2:
07:89:65:f9:cf:9e:19:8e:a1:fd:7d:6a:bd:c1:d7:
5f:bd:ff:20:89:bf:cb:7d:7b:a1:b2:23:89:0e:45:
97:19:3c:1f:d6:5f:c4:a3:6d:ce:01:6c:68:92:b2:
e6:25
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Subject Alternative Name:
IP Address:127.0.0.1, IP Address:192.168.73.120, IP Address:192.168.73.121
Signature Algorithm: sha256WithRSAEncryption
c9:76:82:51:21:75:42:64:2c:ab:bb:62:66:a9:cf:78:1b:ff:
37:2a:8f:63:b5:37:2c:22:75:fa:61:c7:70:9a:f8:17:75:ad:
06:39:9d:7f:18:d6:3f:8c:bd:3b:9d:f4:5f:44:96:35:91:b8:
5e:2f:c8:d7:6c:c7:08:01:2c:a1:ff:6a:5d:93:a3:2f:86:f3:
d1:e6:5d:6e:55:6f:69:72:de:9c:ad:bc:b0:a3:c3:9f:dc:29:
ee:81:a0:37:3f:ae:eb:72:86:5f:7c:60:0a:d1:08:e3:2c:7a:
97:ea:e2:6e:40:4d:b9:9f:0e:62:7d:3c:14:94:d6:76:78:c5:
68:63:a0:bf:65:69:b7:61:64:22:03:55:28:74:ac:a3:e7:58:
83:95:3c:77:0f:9b:4d:c6:98:e7:0f:6d:14:f7:7d:d7:36:11:
3d:1f:16:75:3d:19:19:72:83:22:fb:70:0d:16:b3:60:bd:f5:
6a:90:c2:c1:e5:a5:d6:39:24:a6:14:b5:e4:77:5f:e6:74:74:
c4:80:60:47:93:e3:45:54:9e:23:d7:bd:7b:ba:0a:44:3f:b5:
cf:ef:32:fd:75:02:18:5f:44:79:be:4c:0a:c8:0d:c2:af:b0:
44:f9:cb:ca:d8:ee:7a:f0:e9:22:e9:bd:9c:6b:f0:7d:94:c2:
ba:de:73:7a
-----BEGIN CERTIFICATE-----
MIIDTzCCAjegAwIBAgIUIvKa3dt4dwf3ZmhOGMD9I46V4XUwDQYJKoZIhvcNAQEL
BQAwRzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRQwEgYDVQQKDAtNeU9yZywg
SW5jLjEVMBMGA1UEAwwMaW50ZXJtZWRpYXRlMB4XDTIzMTExNjE3MDE1NloXDTI1
MDMzMDE3MDE1NlowQDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRQwEgYDVQQK
DAtNeU9yZywgSW5jLjEOMAwGA1UEAwwFdXNlcjEwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQCz8sDiYubgvTGQ/GRjDrSeliNx8vlWM0uyuKMG3nRmwqe6
WiQ7OkzfqJNXwlwy0WbFv5XMEDmfYYsnLOhHObVoM7YOAiQllDWuSP6PeSwKEaaP
JylIGyZZYezfA5hDojw+mSr7j3FW9R51Rq1fZVxZTa8mO7Srykq4/zRw8/gmg2Mr
epnlCzDAYcCBQ/GU6yZEQL6Z/a47SyLVfF4qNP87i8CIErokOtP4MQNDGyrllGdj
wcOgfKn80dbsDMrbLf8Katp3agBYPsLhb93dLO6w8geJZfnPnhmOof19ar3B11+9
/yCJv8t9e6GyI4kORZcZPB/WX8Sjbc4BbGiSsuYlAgMBAAGjOjA4MAwGA1UdEwQF
MAMBAf8wCwYDVR0PBAQDAgWgMBsGA1UdEQQUMBKHBH8AAAGHBMCoSXiHBMCoSXkw
DQYJKoZIhvcNAQELBQADggEBAMl2glEhdUJkLKu7Ymapz3gb/zcqj2O1Nywidfph
x3Ca+Bd1rQY5nX8Y1j+MvTud9F9EljWRuF4vyNdsxwgBLKH/al2Toy+G89HmXW5V
b2ly3pytvLCjw5/cKe6BoDc/rutyhl98YArRCOMsepfq4m5ATbmfDmJ9PBSU1nZ4
xWhjoL9labdhZCIDVSh0rKPnWIOVPHcPm03GmOcPbRT3fdc2ET0fFnU9GRlygyL7
cA0Ws2C99WqQwsHlpdY5JKYUteR3X+Z0dMSAYEeT40VUniPXvXu6CkQ/tc/vMv11
AhhfRHm+TArIDcKvsET5y8rY7nrw6SLpvZxr8H2Uwrrec3o=
-----END CERTIFICATE-----
intermediate.crt: OK
C = US, ST = CA, O = "MyOrg, Inc.", CN = user1
error 20 at 0 depth lookup: unable to get local issuer certificate
error user1.crt: verification failed
intermediate.crt: OK
C = US, ST = CA, O = "MyOrg, Inc.", CN = user1
error 20 at 0 depth lookup: unable to get local issuer certificate
error user1.crt: verification failed
C = US, ST = CA, O = "MyOrg, Inc.", CN = intermediate
error 2 at 1 depth lookup: unable to get issuer certificate
error user1.crt: verification failed
-partial_chainto accept it as the trusted root of an incomplete (no root CA) chain. – Steffen Ullrich Nov 16 '23 at 17:17openssl verify -verbose -CAfile rootca.crt intermediate.crt user1.crtfailed too, androotca.crtis the root. – unalignedmemoryaccess Nov 16 '23 at 18:27openssl verify -CAfile rootca.crt intermediate.crtandopenssl verify -CAfile intermediate.crt user1.crtboth return OK, the chain is valid? I triedopenssl verify -verbose -partial_chain -CAfile intermediate.crt user1.crtand it fals to verify, with error invalid CA certificate. Looking man page now. – unalignedmemoryaccess Nov 16 '23 at 18:37error 32 at 1 depth lookup: key usage does not include certificate signing. This is because your intermediate is missing the right key usage, specifically keyCertSign. Added another question as duplicate which describes which key usage is needed – Steffen Ullrich Nov 16 '23 at 19:24keyUsage = digitalSignature, keyEncipherment, keyCertSignin the extensions file, solved the problem – unalignedmemoryaccess Nov 16 '23 at 19:32