openssl verify - error 20 at 0 depth lookup:unable to get local issuer certificate

Question

i created a PEM certificate from a PFX certificate and wanted to verify it. However i ran into this issue, try to find some answers, but i didnt and therefore i dont know how to fix it. could you please advice? thank you very much.

C:\OpenSSL-Win32\bin>set OPENSSL_CONF=C:\OpenSSL-Win32\bin\openssl.cfg

C:\OpenSSL-Win32\bin>openssl
OpenSSL> verify C:\mycert.pem
C:\mycert.pem: C = CZ, ST = Sprava zakladnich registru, L = "Obec=Praha,Ulice=Na Vapence,PSC=13000", O = 72054506, OU = 4333, CN = tstcawilly.szr.local
error 20 at 0 depth lookup:unable to get local issuer certificate
error in verify
OpenSSL>
OpenSSL> verify -CAfile C:\mycert.pem C:\mycert.pem
C:\mycert.pem: C = CZ, ST = Sprava zakladnich registru, L = "Obec=Praha,Ulice=Na Vapence,PSC=13000", O = 72054506, OU = 4333, CN = tstcawilly.szr.local
error 20 at 0 depth lookup:unable to get local issuer certificate
error in verify
OpenSSL>

Answer 1

I solved this by creating a .pem with Private Key,Server Crt, and then the Intermediate certificates and running openssl verify on the pem file to get an OK response.

Answer 2

I discovered two potential issues you might face.

Potential issue 1. The intermediate certificates might give you an issue.

When verifying our new QSeal certificate (in PEM format) against multiple intermediate certificates, I used option -untrusted for each intermediate certificate. Here follows an example on MacOS / Linux.

openssl verify -verbose -CAfile ./quovadis_root_ca1g3.pem -untrusted ./quovadis_quovadisenterprisetrustca1g3.pem -untrusted ./quovadis_quovadiseuissuingcertificationauthorityg4.pem ./qseal_new.crt

Output is now

./qseal_new.crt: OK

Potential issue 2. I get keeping this issue when using LibreSSL, even when fixing the intermediate certificate issue. Switching to OpenSSL solved it. I am aware that you use Windows, but others might encounter this issue when using an OpenSSL alternative.

Answer 3

I also had problems using the openssl verify command properly. So I also got the error: "error 20 at 0 depth lookup:unable to get local issuer certificate"

Here is a short explanation how to use the openssl verify command correctly if you have a certificate chain with multiple intermediate certificates (more than 2 certificates).

Lets imagine we have following certificate chain: my_root_ca.crt > my_intermediate_ca1.crt > my_intermediate_ca2.crt > leaf_cert.crt

openssl verify -CAfile my_root_ca.crt -untrusted all_my_intermediate_ca.crt leaf_cert.crt

my_root_ca.crt: This is the root certificate (self-signed)

all_my_intermediate_ca.crt: This file must include both intermediate certificates (my_intermediate_ca1.crt & my_intermediate_ca2.crt)

leaf_cert.crt: This is the actual certificate that gets verified.

So this would also work if you have more than two intermediate certificates. But you must include them all in one file.

Answer 4

Another case is pathlen can only be set when CA:TRUE in basicConstraints.

Example:

basicConstraints=CA:TRUE,pathlen:10 # Okay
basicConstraints=CA:FALSE,pathlen:10 # Invalid!

Answer 5

OpenSSL> verify -CAfile C:\mycert.pem C:\mycert.pem

Close. You need to add the CA's root certificate with -CAfile; and not your end entity certificate. Something like:

openssl verify -CAfile C:\ca-cert.pem C:\mycert.pem

Also, if there is an intermediate certificate, then it needs to be added to mycert.pem. So mycert.pem will actually have two (or more) certificates (rather than one).

Adding all required certificates to mycert.pem in an effort to build a valid chain solves the "which directory" problem. Its a well known problem in PKI. Essentially, a client (like me) does not know where to go to get missing intermediate certificates.