openssl verify - error 20 at 0 depth lookup:unable to get local issuer certificate

Asked 26/4, 2013 at 11:38 Answered 13/6, 2024 at 12:15

i created a PEM certificate from a PFX certificate and wanted to verify it. However i ran into this issue, try to find some answers, but i didnt and therefore i dont know how to fix it. could you please advice? thank you very much.

C:\OpenSSL-Win32\bin>set OPENSSL_CONF=C:\OpenSSL-Win32\bin\openssl.cfg

C:\OpenSSL-Win32\bin>openssl
OpenSSL> verify C:\mycert.pem
C:\mycert.pem: C = CZ, ST = Sprava zakladnich registru, L = "Obec=Praha,Ulice=Na Vapence,PSC=13000", O = 72054506, OU = 4333, CN = tstcawilly.szr.local
error 20 at 0 depth lookup:unable to get local issuer certificate
error in verify
OpenSSL>
OpenSSL> verify -CAfile C:\mycert.pem C:\mycert.pem
C:\mycert.pem: C = CZ, ST = Sprava zakladnich registru, L = "Obec=Praha,Ulice=Na Vapence,PSC=13000", O = 72054506, OU = 4333, CN = tstcawilly.szr.local
error 20 at 0 depth lookup:unable to get local issuer certificate
error in verify
OpenSSL>

Tamarin answered 26/4, 2013 at 11:38 Comment(1)

Same problem here with a fresh certificate issued to us and installed on a tomcat server. – Prakrit 14/4, 2014 at 18:26

OpenSSL> verify -CAfile C:\mycert.pem C:\mycert.pem

Close. You need to add the CA's root certificate with -CAfile; and not your end entity certificate. Something like:

openssl verify -CAfile C:\ca-cert.pem C:\mycert.pem

Also, if there is an intermediate certificate, then it needs to be added to mycert.pem. So mycert.pem will actually have two (or more) certificates (rather than one).

Adding all required certificates to mycert.pem in an effort to build a valid chain solves the "which directory" problem. Its a well known problem in PKI. Essentially, a client (like me) does not know where to go to get missing intermediate certificates.

Flagstone answered 21/4, 2014 at 4:26 Comment(4)

In the case of a self-signed certificate, isn't the self-signed cert both the CA cert and the entity cert? – Dulcie 24/8, 2017 at 20:12

@WilburWhateley - No. Basic Constraints and CA:FALSE must be set. CA:TRUE cannot be set. If the CA attribute were true, the end entity certificates could mint other certificates. – Flagstone 24/8, 2017 at 20:14

So impossible with self-signed? Not clear. Because there is only one cert in this case, right? So a self-signed cannot be a CA, and without a CA, you can't verify... Is there something I'm missing, or is this generally a bad design for SSL. – Dulcie 24/8, 2017 at 22:7

@WilburWhateley I'm rather new to using openssl but from what I've gathered openssl trusts no CA by default, you have to specify to it what CA(s) to trust. Additionally, you can create a CA yourself with openssl (CA:TRUE). Therefore to get a self-signed certificate to verify you need to first create your CA's certificate & key, then create your "self-signed" certificate by signing it with that newly created CA. At that point you can now verify your self-signed certificate, using your own CA. At least that's what I've gathered the past 48 hours or so, and have it working locally. – Tharpe 7/3, 2018 at 14:50

Another case is pathlen can only be set when CA:TRUE in basicConstraints.

Example:

basicConstraints=CA:TRUE,pathlen:10 # Okay
basicConstraints=CA:FALSE,pathlen:10 # Invalid!

Semitrailer answered 26/5, 2020 at 13:50 Comment(2)

Thanks for this. I had been beating my head against a wall for about an hour because I had set CA:FALSE, pathlen:0 on my leaf certificates ... the cert created OK, but openssl verify failed to validate it. Making the simple change to just be CA:FALSE resulted in validate-able certificates – Ulrikeulster 22/1, 2021 at 16:34

This is the correct answer. – Tympany 16/12, 2021 at 21:51

I also had problems using the openssl verify command properly. So I also got the error: "error 20 at 0 depth lookup:unable to get local issuer certificate"

Here is a short explanation how to use the openssl verify command correctly if you have a certificate chain with multiple intermediate certificates (more than 2 certificates).

Lets imagine we have following certificate chain: my_root_ca.crt > my_intermediate_ca1.crt > my_intermediate_ca2.crt > leaf_cert.crt

openssl verify -CAfile my_root_ca.crt -untrusted all_my_intermediate_ca.crt leaf_cert.crt

my_root_ca.crt: This is the root certificate (self-signed)

all_my_intermediate_ca.crt: This file must include both intermediate certificates (my_intermediate_ca1.crt & my_intermediate_ca2.crt)

leaf_cert.crt: This is the actual certificate that gets verified.

So this would also work if you have more than two intermediate certificates. But you must include them all in one file.

Army answered 9/9, 2021 at 10:8 Comment(0)

I discovered two potential issues you might face.

Potential issue 1. The intermediate certificates might give you an issue.

When verifying our new QSeal certificate (in PEM format) against multiple intermediate certificates, I used option -untrusted for each intermediate certificate. Here follows an example on MacOS / Linux.

openssl verify -verbose -CAfile ./quovadis_root_ca1g3.pem -untrusted ./quovadis_quovadisenterprisetrustca1g3.pem -untrusted ./quovadis_quovadiseuissuingcertificationauthorityg4.pem ./qseal_new.crt

Output is now

./qseal_new.crt: OK

Potential issue 2. I get keeping this issue when using LibreSSL, even when fixing the intermediate certificate issue. Switching to OpenSSL solved it. I am aware that you use Windows, but others might encounter this issue when using an OpenSSL alternative.

Screening answered 9/9, 2021 at 10:33 Comment(0)

I solved this by creating a .pem with Private Key,Server Crt, and then the Intermediate certificates and running openssl verify on the pem file to get an OK response.

Precess answered 13/6, 2024 at 12:15 Comment(0)

Recommended topics

Hot tags