I am building an openssl Certificate Authority for an intranet.
I have root.crt, intermediate.crt which is signed by the root, and server.crt which is signed by the intermediate.
I can validate the intermediate against the root
#> openssl verify -CAfile root.crt intermediate.crt && echo ok
ok
On Ubuntu I can install the root certificate
#> mv root.crt /usr/local/share/ca-certificates/my-root.crt
#> update-ca-certificates
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
done.
But if I try to validate the server against the intermediate, it fails
#> openssl verify -CAfile intermediate.crt server.crt && echo ok
error 2 at 1 depth lookup:unable to get issuer certificate
I think this means it can't validate the full chain server.crt -> intermediate.crt -> my-root.crt.
I've examined the certificates by hand with openssl x509 -noout -text and they look okay: Issuer for server.crt matches the subject of the intermediate certificate, for the other two it matches the root and the dates are in the correct range.
The goal is to distribute the server and intermediate certificates in the applications, and have the root certificate installed globally. I swear this worked a while ago, so what have I left out?
0 Answers