OpenSSL certificate chain verification often fails due to missing intermediate CA certificates, self-signed certificates, or untrusted roots. Common errors include ”unable to get local issuer certificate” (code 20), ”self signed certificate in chain,” or ”unable to verify the first certificate.”
Commands like openssl s_client and openssl verify check the full chain. These tools uncover issues in server configurations or client trust stores.
Postman and IBM tools frequently require chain fixes, CA bundle additions, or temporary verification disabling. OneUptime outlines common pitfalls.
How to Verify a Certificate Chain Using OpenSSL Verify
| Command | openssl verify -CAfile RootCert.pem -untrusted Intermediate.pem UserCert.pem |
| Purpose | Validates full chain to root |
| Key Flag | -untrusted for intermediates |
| Output | OK or error details |
- UNABLE_TO_GET_ISSUER_CERT_LOCALLY signals missing intermediate CA from server.
- CERTIFICATE_VERIFY_FAILED means no trusted root match.
- DEPTH_ZERO_SELF_SIGNED_CERT indicates self-signed server certificate.
- SELF_SIGNED_CERT_IN_CHAIN appears with self-signed cert anywhere in path. IBM Support
- ERR_CERT_AUTHORITY_INVALID shows client distrust of issuing CA.
- Error 20 typically resolves by adding intermediates. OpenSSL Discussions
| Step | Command/Detail | Notes |
|---|---|---|
| 1 | openssl s_client -connect example.com:443 -showcerts 2>/dev/null | Inspect server-presented chain |
| 2 | openssl s_client -connect example.com:443 -showcerts 2>/dev/null | grep ”BEGIN CERTIFICATE” | wc -l | Count certs; ideal 2-3 |
| 3 | openssl s_client -connect example.com:443 -CApath /etc/ssl/certs 2>&1 | grep ”Verify return code” | 0 (ok) success; 20 failure |
| 4 | openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt fullchain.pem | Expect ”fullchain.pem: OK” |
| 5 | openssl verify -CAfile ca.cert -untrusted server.cert server.cert | Handles untrusted intermediates |
| 6 | openssl x509 -in server.crt -noout -issuer and openssl x509 -in intermediate.crt -noout -subject | Issuer must match exactly |
| 7 | openssl verify -crl_check -CAfile ca-bundle.crt cert.pem | Checks revocation via CRL |
| 8 | openssl x509 -in server.crt -noout -text | grep ”CA Issuers” | Locate AIA for missing intermediate |
Checking for a Complete Certificate Chain
Servers must send the full chain, including the server certificate and intermediates; the root is optional.
openssl s_client -connect example.com:443 -showcerts displays the presented chain. OpenSSL s_client chain inspection details are available on OneUptime. Las mer hos Moody Media.
How to check for a complete certificate chain?
Verify with openssl s_client -connect example.com:443 -CApath /etc/ssl/certs and check ”Verify return code.” Download missing intermediates from the CA AIA URL.
Unable to get local issuer certificate arises from missing intermediates on server. Include them in fullchain.pem and reload config.
Curl AIA URL from openssl x509 -in server.crt -noout -text | grep ”CA Issuers”, convert if DER, cat into fullchain.pem.
Tools and Utilities for SSL Certificate Chain Verification
OpenSSL verify and s_client handle local and remote checks. Additional utilities support revocation and issuer matching.
Postman encounters ”Unable to verify the first certificate” even with SSL off. Fixes include checking system time, adding certs in Settings > Certificates, or re-importing server cert. Postman Community
Confirm no per-request overrides, delete faulty scripts, sync system clock within 1 minute. Mimic with curl without –insecure.
IBM reports self-signed chain errors; add full bundle to trust store. IBM Community
SSL/TLS Certificate Verification in Practice
Clients build the chain from server-provided certs against trusted roots. Missing links trigger failures.
For IBM tools, paste CA bundle into fields like Terraform Enterprise and restart. App Connect may need TLS disable or trust store update. IBM Checking Guide
Prevention involves server fullchain.pem config, reload, retest. Custom CAs require explicit -CAfile. WebsitePulse
Troubleshoot SSL Certificate Chain Errors on OneUptime covers reload steps like sudo nginx -t && sudo systemctl reload nginx.
Understanding OpenSSL Verify Results
| Established | Unclear or Uncertain |
|---|---|
| ”OK” confirms valid chain to trusted root | Error codes pinpoint issues but require manual intermediate fetch if AIA fails |
| 0 (ok) from s_client indicates complete trust path | Revocation status depends on CRL/OCSP availability |
| Fullchain.pem: OK verifies local file | Client-specific trust stores vary across OS |
Summary: Steps to Secure Chain Verification
Inspect with openssl s_client, verify using openssl verify with -CAfile and -untrusted, fix incompletes via AIA downloads, test post-reload. Missing intermediates cause most errors; full chains ensure compatibility.
Frequently Asked Questions
What does error code 20 mean in OpenSSL?
Unable to get local issuer certificate; server omits intermediates. Fix by building fullchain.pem.
How many certificates in a complete chain?
Typically 2-3: server cert plus 1-2 intermediates. Roots optional as clients hold them.
What is the -untrusted flag?
Allows specifying untrusted intermediates to construct chain to trusted root CA.
How to fix Postman ”first certificate” error?
Disable global SSL, check time sync, add certs in Settings, remove bad scripts.
What causes ”self signed certificate in chain”?
Self-signed cert in path; add issuing CA bundle or replace with valid chain.
How to check revocation in chain?
Use openssl verify -crl_check or OCSP with issuer and URL.
Do servers need to send root cert?
No; clients trust public roots. Send server + intermediates only.
Författare
Missa inte
Mercedes-Benz E-Klass – Pris, kombi, sedan och begagnat
Guest List Template – Free Excel and Sheets for Weddings
Rollback Issues – Fix Time Desync in Proxmox, DBs and Fedora
Ord som slutar på ä – Tips För Korsord Och Spel
Bournemouth mot Aston Villa: Rayans sena mål gav 1-1
Rollback Issues – Fix Time Desync in Proxmox, DBs and Fedora
