I read another questions about this topic but they didn't help me.
I have a root CA self-signed.
[ubuntu@user]$ openssl x509 -in rootca.cer -noout -subject
subject= /O=org/CN=ROOT CA
[ubuntu@user]$ openssl x509 -in rootca.cer -noout -issuer
issuer= /O=org/CN=ROOT CA
I have an intermediate CA signed by the root CA.
[ubuntu@user]$ openssl x509 -in intermediateca.cer -noout -subject
subject= /O=org/CN=INTERMEDIATE CA
[ubuntu@user]$ openssl x509 -in intermediateca.cer -noout -noout -issuer
issuer= /O=org/CN=ROOT CA
I also have the final certificate signed by intermediate CA.
[ubuntu@user]$ openssl x509 -in finalcert -noout -subject
subject= blabla
[ubuntu@user]$ openssl x509 -in finalcert -noout -noout -issuer
issuer= /O=org/CN=INTERMEDIATE CA
This is the verify process that I followed.
[ubuntu@user]$ openssl verify -verbose -CAfile rootca.cer intermediateca.cer
intermediateca.cer: OK
[ubuntu@user]$ openssl verify -verbose -CAfile rootca.cer -untrusted intermediateca.cer finalcert.cer
finalcert.cer: blabla
error 20 at 0 depth lookup: unable to get local issuer certificate
Why can't I verify the final cert correctly?
Thank you.
I have just noticed that public key of intermediateca.cer has been changed after final cert was signed. This is why the verification returns an error.
This can be checked with the hash of public keys in intermediante and final certs. The hashes are stored in Subject Key Identifier and Authority Key Identifier keys.