# OpenSSL - unable to get local issuer certificate



## Leander (Apr 25, 2015)

Hi,

I try to verify my Certs. After some research, I figured, what the error:


```
Verify error:unable to get local issuer certificate
```
exactly meant. Turns out, I missed the hash based symbolic links in the CA-Path - so I created them accordingly.

In order to understand my hierarchy: I have a self-signed Root-CA.crt. Root-CA.crt is the daddy of Signing-CA.crt - it got signed by Root-CA.crt. Now each certificate I create for my network services is signed by Signing-CA.crt - such as e.g. FreeBSD.MyDomain.Local.crt.

Root-CA.crt (Has no OCSP and CRL URL)

Signing-CA.crt (Has no OCSP and CRL URL)

ServerCert.crt (for Apache, Dovecot, and so on ... Has OCSP and CRL URL)


```
root@FreeBSD # ls -lach /etc/ssl/PKI/CA/
total 104
drwxr-xr-x  4 root  wheel  512B 19 Apr 15:15 .
drwxr-xr-x  4 root  wheel  512B 19 Apr 15:15 ..
lrwxr-xr-x  1 root  wheel  16B 19 Apr 15:15 2a9fcf4c.0 -> ./Signing-CA.crt
lrwxr-xr-x  1 root  wheel  13B 19 Apr 15:15 8d2fba8c.0 -> ./Root-CA.crt
-rw-r--r--  1 root  wheel  3.0K 19 Apr 15:15 CA-Chain.p7c
-rw-r--r--  1 root  wheel  4.0K 19 Apr 15:15 CA-Chain.pem
drwxr-xr-x  7 root  wheel  512B 19 Apr 15:15 Root-CA
-rw-r--r--  1 root  wheel  7.1K 19 Apr 15:15 Root-CA.crt
-rw-r--r--  1 root  wheel  1.8K 19 Apr 15:15 Root-CA.csr
drwxr-xr-x  7 root  wheel  512B 19 Apr 15:15 Signing-CA
-rw-r--r--  1 root  wheel  7.1K 19 Apr 15:15 Signing-CA.crt
-rw-r--r--  1 root  wheel  1.8K 19 Apr 15:15 Signing-CA.csr
```
Now verification seems to work:


```
root@FreeBSD # openssl verify -CApath /etc/ssl/PKI/CA/ /etc/ssl/PKI/CA/Signing-CA.crt
/etc/ssl/PKI/CA/Signing-CA.crt: OK

root@FreeBSD # openssl verify -CApath /etc/ssl/PKI/CA/ /etc/ssl/PKI/CA/Root-CA.crt
/etc/ssl/PKI/CA/Root-CA.crt: OK

openssl verify -CApath /etc/ssl/CA/ /etc/ssl/CA/Signing-CA/Certs/FreeBSD.MyDomain.Local.crt
/etc/ssl/PKI/CA/Signing-CA/Certs/WM-01.NetOcean.Local.crt: OK
```
All good so far. Now I need ocsp(1) to verify instead of regular verify(1). Unfortunately I don't get it working. This is how I try to verify


```
spawn openssl ocsp  -index  ./../PKI/CA/Signing-CA/DB/Signing-CA.db \
  -VAfile  ./../PKI/CA/Signing-CA.crt \
  -CA  ./../PKI/CA/Signing-CA.crt \
  -CApath  ./../PKI/CA/ \
  -rsigner ./../PKI/CA/Signing-CA.crt \
  -rkey  ./../PKI/CA/Signing-CA/Private/Signing-CA.key \
  -resp_key_id \
  -reqin  ./filename-request.der \
  -respout ./filename-response.der
expect -re ".*phrase.*:.*"
send -- "MySigningCAPassPhrase\r"
expect eof
```
Debugging the two files ./filename-request.der and ./filename-response.der tells me more:


```
openssl ocsp -reqin  /tmp/OCSP/filename-request.der  -text
OCSP Response Data:
  OCSP Response Status: successful (0x0)
  Response Type: Basic OCSP Response
  Version: 1 (0x0)
  Responder Id: 4525615607ADBAF7C88C04352FD73B32B7939229
  Produced At: Apr 25 22:06:31 2015 GMT
  Responses:
  Certificate ID:
  Hash Algorithm: sha1
  Issuer Name Hash: 70BE3B73C58233B7F4D1B1BEE03D4D597007CE30
  Issuer Key Hash: 4525615607ADBAF7C88C04352FD73B32B7939229
  Serial Number: 01
  Cert Status: unknown
  This Update: Apr 25 22:06:31 2015 GMT

  Response Extensions:
  OCSP Nonce:
  04103501981BAAF67BA8E9A49CF05685B89B
  Signature Algorithm: sha1WithRSAEncryption
  1d:ce:4b:7f:91:66:09:3c:f8:e4:16:e8:7e:42:76:bd:1f:ee:
[...]
removed for demonstration
[...]
  42:2c:8e:1d:c2:87:d6:2c
Certificate:
  Data:
  Version: 3 (0x2)
  Serial Number: 2 (0x2)
  Signature Algorithm: sha1WithRSAEncryption
  Issuer: DC=org, DC=simple, O=Simple Inc, OU=Simple Root CA, CN=Simple Root CA
  Validity
  Not Before: Apr 19 13:15:43 2015 GMT
  Not After : Apr 14 13:15:43 2035 GMT
  Subject: DC=org, DC=simple, O=Simple Inc, OU=Simple Signing CA, CN=Simple Signing CA
  Subject Public Key Info:
  Public Key Algorithm: rsaEncryption
  Public-Key: (4096 bit)
  Modulus:
  00:c6:ae:05:17:cc:46:61:35:93:ca:9b:34:d4:38:
[...]
removed for demonstration
[...]
  be:1e:63:66:90:95:92:d4:15:82:33:76:f9:0c:14:
  2a:76:8b
  Exponent: 65537 (0x10001)
  X509v3 extensions:
  X509v3 Key Usage: critical
  Certificate Sign, CRL Sign
  X509v3 Basic Constraints: critical
  CA:TRUE, pathlen:0
  X509v3 Subject Key Identifier:
  45:25:61:56:07:AD:BA:F7:C8:8C:04:35:2F:D7:3B:32:B7:93:92:29
  X509v3 Authority Key Identifier:
  keyid:0E:6E:61:08:F1:26:68:83:AC:4A:DD:AA:56:C5:B7:D6:E6:80:42:FA

  Signature Algorithm: sha1WithRSAEncryption
  5d:c1:ff:ef:1b:93:59:73:9d:ee:00:ba:3f:c3:f3:a3:23:20:
[...]
removed for demonstration
[...]
  7e:e6:c5:ca:4e:31:93:a3
-----BEGIN CERTIFICATE-----
MIIFzzCCA7egAwIBAgIBAjANBgkqhkiG9w0BAQUFADB0MRMwEQYKCZImiZPyLGQB
[...]
removed for demonstration
[...]
MZOj
-----END CERTIFICATE-----
Response Verify Failure
34379245432:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/ocsp/ocsp_vfy.c:126:Verify error:unable to get local issuer certificate
```
Why do I keep on getting this error


```
error:unable to get local issuer certificate
```
again?! This is where I'm currently stuck. Any hints on what plunder I've made in the ocsp comand would be greatly appreaciated.

Thanks a lot


----------



## Leander (Apr 25, 2015)

No idea?


----------



## Leander (Apr 25, 2015)

It also turns out, ocsp doesn't like chains. Now I get at least a

*Cert Status: good*

```
OCSP Response Data:
  OCSP Response Status: successful (0x0)
  Response Type: Basic OCSP Response
  Version: 1 (0x0)
  Responder Id: 4525615607ADBAF7C88C04352FD73B32B7939229
  Produced At: Apr 25 22:15:28 2015 GMT
  Responses:
  Certificate ID:
  Hash Algorithm: sha1
  Issuer Name Hash: 70BE3B73C58233B7F4D1B1BEE03D4D597007CE30
  Issuer Key Hash: 4525615607ADBAF7C88C04352FD73B32B7939229
  Serial Number: 01
  Cert Status: good
  This Update: Apr 25 22:15:28 2015 GMT

  Signature Algorithm: sha1WithRSAEncryption
  32:31:d4:9b:77:56:df:d2:88:67:86:45:2a:a4:8f:97:cc:02:
[...]
removed for demonstration
[...]
  8f:e7:b7:ee:9a:60:32:9c
Certificate:
  Data:
  Version: 3 (0x2)
  Serial Number: 2 (0x2)
  Signature Algorithm: sha1WithRSAEncryption
  Issuer: DC=org, DC=simple, O=Simple Inc, OU=Simple Root CA, CN=Simple Root CA
  Validity
  Not Before: Apr 19 13:15:43 2015 GMT
  Not After : Apr 14 13:15:43 2035 GMT
  Subject: DC=org, DC=simple, O=Simple Inc, OU=Simple Signing CA, CN=Simple Signing CA
  Subject Public Key Info:
  Public Key Algorithm: rsaEncryption
  Public-Key: (4096 bit)
  Modulus:
  00:c6:ae:05:17:cc:46:61:35:93:ca:9b:34:d4:38:
[...]
removed for demonstration
[...]
  2a:76:8b
  Exponent: 65537 (0x10001)
  X509v3 extensions:
  X509v3 Key Usage: critical
  Certificate Sign, CRL Sign
  X509v3 Basic Constraints: critical
  CA:TRUE, pathlen:0
  X509v3 Subject Key Identifier:
  45:25:61:56:07:AD:BA:F7:C8:8C:04:35:2F:D7:3B:32:B7:93:92:29
  X509v3 Authority Key Identifier:
  keyid:0E:6E:61:08:F1:26:68:83:AC:4A:DD:AA:56:C5:B7:D6:E6:80:42:FA

  Signature Algorithm: sha1WithRSAEncryption
  5d:c1:ff:ef:1b:93:59:73:9d:ee:00:ba:3f:c3:f3:a3:23:20:
[...]
removed for demonstration
[...]
  7e:e6:c5:ca:4e:31:93:a3
-----BEGIN CERTIFICATE-----
MIIFzzCCA7egAwIBAgIBAjANBgkqhkiG9w0BAQUFADB0MRMwEQYKCZImiZPyLGQB
[...]
removed for demonstration
[...]
MZOj
-----END CERTIFICATE-----
Response Verify Failure
34379245432:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/ocsp/ocsp_vfy.c:126:Verify error:unable to get local issuer certificate
```
Yet, I still get the same error:

```
certificate verify error:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/ocsp/ocsp_vfy.c:126:Verify error:unable to get local issuer certificate
```
I tested with:

```
openssl ocsp -issuer ./Signing-CA.crt -CApath /etc/ssl/PKI/CA/ -cert ./Signing-CA/Certs/WM-01.MyDomain.Local.crt -url http://OCSP.WM-01.MyDomain.Local/OCSP/ -text
```
Any ideas why this is happening? The ocsp command seems to ignore the "-CApath" flag in server mode


----------



## Leander (Apr 25, 2015)

Does this mean ALL my CAs also need a OCSP and CRL -URL? ... cause Root-CA.crt and Signing-CA.crt currently don't have this.


----------



## Oko (Apr 25, 2015)

Why don't you check OpenSSL documentation? Hey wait a second OpenSSL documentation sucks Sorry I could not resist punching that pile of crap.


----------



## Leander (Apr 25, 2015)

Haha  cheers on that 
I mean it is almost like with MS ... producing Tools which are incompatible with each other ... or why does openssl ocsp not recognize chains properly?!


----------



## Oko (Apr 26, 2015)

Leander said:


> why does openssl ocsp not recognize chains properly?!


Sorry these days I work only with LibreSSL so I am not very helpful but I feel your pain. I will shut up and hope that somebody actually helps you with this.


----------

