OpenSSL: unable to verify the first certificate for Experian URL

by

The first error message is telling you more about the problem:

verify error:num=20:unable to get local issuer certificate

The issuing certificate authority of the end entity server certificate is

VeriSign Class 3 Secure Server CA – G3

Look closely in your CA file – you will not find this certificate since it is an intermediary CA – what you found was a similar-named G3 Public Primary CA of VeriSign.

But why does the other connection succeed, but this one doesn’t? The problem is a misconfiguration of the servers (see for yourself using the -debug option). The “good” server sends the entire certificate chain during the handshake, therefore providing you with the necessary intermediate certificates.

But the server that is failing sends you only the end entity certificate, and OpenSSL is not capable of downloading the missing intermediate certificate “on the fly” (which would be possible by interpreting the Authority Information Access extension). Therefore your attempt fails using s_client but it would succeed nevertheless if you browse to the same URL using e.g. FireFox (which does support the “certificate discovery” feature).

Your options to solve the problem are either fixing this on the server side by making the server send the entire chain, too, or by passing the missing intermediate certificate to OpenSSL as a client-side parameter.

More Related Contents:

  1. How to generate a self-signed SSL certificate using OpenSSL?
  2. How do you sign a Certificate Signing Request with your Certification Authority?
  3. How to get .pem file from .key and .crt files?
  4. Security consequences of disabling CURLOPT_SSL_VERIFYHOST (libcurl/openssl)
  5. How can I generate a self-signed certificate with SubjectAltName using OpenSSL? [closed]
  6. Convert .pem to .crt and .key
  7. “verify error:num=20” when connecting to gateway.sandbox.push.apple.com
  8. How to install OpenSSL in windows 10?
  9. CNAME SSL certificates
  10. How to determine SSL cert expiration date from a PEM encoded certificate?
  11. How to install: OpenSSL + WAMP
  12. Getting Chrome to accept self-signed localhost certificate
  13. Is a HTTPS query string secure?
  14. why doesn’t java send the client certificate during SSL handshake?
  15. Python referencing old SSL version
  16. How are ssl certificates verified?
  17. OpenSSL: PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE [closed]
  18. Python and OpenSSL version reference issue on OS X
  19. Import certificate as PrivateKeyEntry
  20. Extract public/private key from PKCS12 file for later use in SSH-PK-Authentication
  21. Verify a certificate chain using openssl verify
  22. Convert PEM traditional private key to PKCS8 private key
  23. Unable to establish SSL connection, how do I fix my SSL cert?
  24. android webview with client certificate
  25. OpenSSL DH Key Too Small Error
  26. Nginx configuration leads to endless redirect loop
  27. How do I do TLS with BouncyCastle?
  28. SSL certificate is not trusted – on mobile only [closed]
  29. What happens on the wire when a TLS / LDAP or TLS / HTTP connection is set up?
  30. Difference between self-signed CA and self-signed certificate [closed]

Leave a Comment