https://community.nxp.com/t5/i-MX-Processors/OPENSSL-to-verify-CSF-IMG-certificates/m-p/665523#M102352 <HTML><HEAD></HEAD><BODY><P>Thanks Yuri.</P><P></P><P>That is exactly what I did. I combined the certificates of CA and SRK1 into one (CA-SRK1-chain.pem) and then I used that to verify. It worked.</P><P></P><P>Greetsm</P><P>Satya</P></BODY></HTML> Wed, 12 Jul 2017 10:52:57 GMT satyadamarla 2017-07-12T10:52:57Z https://community.nxp.com/t5/i-MX-Processors/OPENSSL-to-verify-CSF-IMG-certificates/m-p/665520#M102349 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>There are three certificates: SRK, CSF &amp; IMG.</P><P></P><P>SRK is kind of intermediary certificate, whereas CSF and IMG are subordinate or user certificate. The SRK certificate is signed by CA whereas the CSF/IMG are signed by SRK.</P><P></P><P>I tried to verify the SRK and it works well:</P><P><BR /><STRONG><EM style="color: #008000;">openssl verify -CAfile CA1_sha256_3072_65537_v3_ca_crt.pem SRK1_sha256_3072_65537_v3_ca_crt.pem </EM></STRONG><BR /><STRONG><EM style="color: #008000;">SRK1_sha256_3072_65537_v3_ca_crt.pem: OK</EM></STRONG></P><P></P><P>Whereas when I try to verify the IMG and CSF with SRK or CA, it doesn't work:</P><P></P><P><STRONG><EM style="color: #ff0000;">openssl verify -CAfile SRK1_sha256_3072_65537_v3_ca_crt.pem CSF1_1_sha256_3072_65537_v3_usr_crt.pem </EM></STRONG><BR /><STRONG><EM style="color: #ff0000;">CSF1_1_sha256_3072_65537_v3_usr_crt.pem: CN = SRK1_sha256_3072_65537_v3_ca</EM></STRONG><BR /><STRONG><EM style="color: #ff0000;">error 2 at 1 depth lookup:unable to get issuer certificate</EM></STRONG></P><P><STRONG><EM style="color: #ff0000;">openssl verify -CAfile SRK1_sha256_3072_65537_v3_ca_crt.pem IMG1_1_sha256_3072_65537_v3_usr_crt.pem </EM></STRONG><BR /><STRONG><EM style="color: #ff0000;">IMG1_1_sha256_3072_65537_v3_usr_crt.pem: CN = SRK1_sha256_3072_65537_v3_ca</EM></STRONG><BR /><STRONG><EM style="color: #ff0000;">error 2 at 1 depth lookup:unable to get issuer certificate</EM></STRONG></P><P></P><P>Can anyone suggest me how to verify CSF &amp; IMG certificates properly?</P><P></P><P>Greets,</P><P>Satya</P></BODY></HTML> Wed, 12 Jul 2017 08:13:32 GMT https://community.nxp.com/t5/i-MX-Processors/OPENSSL-to-verify-CSF-IMG-certificates/m-p/665520#M102349 satyadamarla 2017-07-12T08:13:32Z https://community.nxp.com/t5/i-MX-Processors/OPENSSL-to-verify-CSF-IMG-certificates/m-p/665521#M102350 <HTML><HEAD></HEAD><BODY><P>Hi,&nbsp;</P><P></P><P>I found the solution myself after a bit of googling. It's important to create the chain. So, I did the following</P><P></P><P><STRONG><EM style="color: #008000;">cat SRK1_sha256_3072_65537_v3_ca_crt.pem CA1_sha256_3072_65537_v3_ca_crt.pem &gt; SRK1-CA-chain.pem</EM></STRONG></P><P><STRONG><EM style="color: #008000;">openssl verify -CAfile SRK1-CA-chain.pem CSF1_1_sha256_3072_65537_v3_usr_crt.pem </EM></STRONG><BR /><STRONG><EM style="color: #008000;">CSF1_1_sha256_3072_65537_v3_usr_crt.pem: OK</EM></STRONG></P><P><STRONG><EM style="color: #008000;">openssl verify -CAfile SRK1-CA-chain.pem IMG1_1_sha256_3072_65537_v3_usr_crt.pem </EM></STRONG><BR /><STRONG><EM style="color: #008000;">IMG1_1_sha256_3072_65537_v3_usr_crt.pem: OK</EM></STRONG></P><P></P><P><SPAN style="color: #000000;">Greets,</SPAN></P><P><SPAN style="color: #000000;">Satya</SPAN></P></BODY></HTML> Wed, 12 Jul 2017 08:59:20 GMT https://community.nxp.com/t5/i-MX-Processors/OPENSSL-to-verify-CSF-IMG-certificates/m-p/665521#M102350 satyadamarla 2017-07-12T08:59:20Z https://community.nxp.com/t5/i-MX-Processors/OPENSSL-to-verify-CSF-IMG-certificates/m-p/665522#M102351 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>&nbsp; Hope the following helps.</P><P></P><P><A class="link-titled" href="https://knowledge.symantec.com/support/mpki-support/index?page=content&amp;id=SO12792&amp;actp=RSS&amp;viewlocale=en_US" title="https://knowledge.symantec.com/support/mpki-support/index?page=content&amp;id=SO12792&amp;actp=RSS&amp;viewlocale=en_US">https://knowledge.symantec.com/support/mpki-support/index?page=content&amp;id=SO12792&amp;actp=RSS&amp;viewlocale=en_US</A>&nbsp;</P><P></P><P>Have a great day,<BR />Yuri</P><P></P><P>-----------------------------------------------------------------------------------------------------------------------<BR />Note: If this post answers your question, please click the Correct Answer button. Thank you!<BR />-----------------------------------------------------------------------------------------------------------------------</P></BODY></HTML> Wed, 12 Jul 2017 09:08:05 GMT https://community.nxp.com/t5/i-MX-Processors/OPENSSL-to-verify-CSF-IMG-certificates/m-p/665522#M102351 Yuri 2017-07-12T09:08:05Z https://community.nxp.com/t5/i-MX-Processors/OPENSSL-to-verify-CSF-IMG-certificates/m-p/665523#M102352 <HTML><HEAD></HEAD><BODY><P>Thanks Yuri.</P><P></P><P>That is exactly what I did. I combined the certificates of CA and SRK1 into one (CA-SRK1-chain.pem) and then I used that to verify. It worked.</P><P></P><P>Greetsm</P><P>Satya</P></BODY></HTML> Wed, 12 Jul 2017 10:52:57 GMT https://community.nxp.com/t5/i-MX-Processors/OPENSSL-to-verify-CSF-IMG-certificates/m-p/665523#M102352 satyadamarla 2017-07-12T10:52:57Z