0

I have a Certificate which has been issued by a non-standard CA over which I have no control.

I generated the CSR, sent it to non-standard CA and it returned a valid Certificate.

This Certificate is normally used to sign documents I send to CA owners and they only accept documents signed with their own CA.

So far everything works as expected.

I also have CA public certificate. I would like (for testing and other purposes) to be able to verify locally MY Certificate is valid (i.e.: use some local openssl command to verify Certificate returned against CA Certificate).

Is this at all possible? If, so how?

Plain verification fails (perhaps because I have just the CA Certificate and not the whole chain):

$ openssl verify -CAfile CertificatoCA.pem 9AIN2012501.cer 
C = IT, O = Certificate Authority, OU = Nonstandard Certificate Authority, CN = 9AIN2012501
error 20 at 0 depth lookup: unable to get local issuer certificate
error 9AIN2012501.cer: verification failed

Any idea? Thanks in Advance

ZioByte
  • 246
  • 3
  • 15
  • You have `error 20 at 0 depth lookup`, which means OpenSSL couldn't find the issuer of the certificate you're verifying - the `9AIN2012501.cer` one. How many certificates in the chain? – garethTheRed Sep 02 '20 at 11:31
  • Did you install the CA certificate on your computer? It sounds like you did not. – Michael Hampton Sep 02 '20 at 15:24
  • @MichaelHampton: of course not. I do not want to install that certificate globally on any machine, I want to to verify, very locally, that a certain certificate was issued by a very specific CA *without* "trusting" that CA on my machine. – ZioByte Sep 03 '20 at 08:00
  • @garethTheRed: CA I'm speaking about is Italian "Agenzia delle Entrate" whose Certificate is available [here](https://telematici.agenziaentrate.gov.it/Abilitazione/CertificatoCA.jsp). Apparently there's just one Certificate in chain (but I'm not an expert). I can provide a throw-away Certificate for testing, if needed. – ZioByte Sep 03 '20 at 08:06
  • You can read the issuer of your `9AIN2012501.cer` certificate, then find that certificate and see who is it's issuer. If the issuer is itself, then it's a self-issued root CA certificate, which is what you should have in `CertificatoCA.pem`. Any additional certificates (between those two) can be added to a file which is referenced to by the `-untrusted` option. – garethTheRed Sep 03 '20 at 14:13

0 Answers0