openssl verify not working with GeoTrust Certificate

Question

I have a newly purchased GeoTrust domain certificate and a matching CA file and would like to verify with openssl.

openssl verify -verbose -purpose any 
-CAfile /full/path/sub.domain.com-geotrust.crt  /full/path/sub.domain.com.crt

From this page: https://secure.marumoto.us/motowiki/tiki-index.php?page=Verify+a+Certificate+Chain

The issuer of each certificate in the chain should match the subject of the next certificate in the chain. For example the issuer of myserver.mydomain.com.cert should match the subject of myintermediate_ca.cert, and the issuer of myintermediate_ca.cert should match the subject of myroot_ca.cert. You can use the following command to view a certificate in .pem or base64 format.

From

openssl x509 -text -in sub.domain.crt and
openssl x509 -text -in sub.domain-geotrust.crt (CA root file)

sub.domain.com
Subject:    OU=GT44865949, 
            OU=See www.geotrust.com/resources/cps (c)15, 
            OU=Domain Control Validated - QuickSSL(R), 
            CN=sub.domain.com
Issuer:
            commonName                = GeoTrust DV SSL CA - G4
            organizationalUnitName    = Domain Validated SSL
            organizationName          = GeoTrust Inc.
            countryName               = US        

Intermediate:        
Subject:
            commonName                = GeoTrust DV SSL CA - G4
            organizationalUnitName    = Domain Validated SSL
            organizationName          = GeoTrust Inc.
            countryName               = US

Issuer:
            commonName                = GeoTrust Global CA
            organizationName          = GeoTrust Inc.
            countryName               = US

Root:
Subject:
            commonName                = GeoTrust Global CA
            organizationName          = GeoTrust Inc.
            countryName               = US
Issuer:
            organizationalUnitName    = Equifax Secure Certificate Authority
            organizationName          = Equifax
            countryName               = US            

It appears my Issuer and Subject fields are matching up properly but I am getting the following error with openssl:

error 20 at 0 depth lookup:unable to get local issuer certificate /full/path/sub.domain.com.crt: /OU=GT44865949/OU=See www.geotrust.com/resources/cps (c)15/OU=Domain Control Validated - QuickSSL(R)/CN=sub.domain.com error 20 at 0 depth lookup:unable to get local issuer certificate

I'd like to use this and a similar GeoTrust certificate at a different subdomain to do two-way SSL authentication at a restful web url but the certs won't verify with 'openssl verify' against the CA files issued with them. Any suggestions much appreciated.

Answer 1

As per discussion, it is a matter of allowing openssl to see the entire validation chain: with both GeoTrust CA intermediates and the root.

openssl should be run with CADir parameter containing all the 3 CAs in PEM format. The actual root for GeoTrust can either be extracted from your favourite browser, or here: filedropper.com/geotrustglobalca.

When you configure your actual server, just make sure that you send the intermediates on the Server Hello, some sites don't do that and break clients that do not have the intermediates cached.

Answer 2

Following on from RomanK's answer , you can get the GeoTrust Global CA from their root certificate store . They have a number of primary/universal/global certificates listed there, so make sure to get the right one for your intermediate certificate.

Answer 3

As per the chain display, the root certificate is not self signed . Its shows its issued by Equifax. Openssl will continue giving the error "local issuer certificate not found" till it gets a self signed root certificate. When it comes across a root self signed then it's able to verify the certificate chain as complete.