Hello,
There are three certificates: SRK, CSF & IMG.
SRK is kind of intermediary certificate, whereas CSF and IMG are subordinate or user certificate. The SRK certificate is signed by CA whereas the CSF/IMG are signed by SRK.
I tried to verify the SRK and it works well:
openssl verify -CAfile CA1_sha256_3072_65537_v3_ca_crt.pem SRK1_sha256_3072_65537_v3_ca_crt.pem
SRK1_sha256_3072_65537_v3_ca_crt.pem: OK
Whereas when I try to verify the IMG and CSF with SRK or CA, it doesn't work:
openssl verify -CAfile SRK1_sha256_3072_65537_v3_ca_crt.pem CSF1_1_sha256_3072_65537_v3_usr_crt.pem
CSF1_1_sha256_3072_65537_v3_usr_crt.pem: CN = SRK1_sha256_3072_65537_v3_ca
error 2 at 1 depth lookup:unable to get issuer certificate
openssl verify -CAfile SRK1_sha256_3072_65537_v3_ca_crt.pem IMG1_1_sha256_3072_65537_v3_usr_crt.pem
IMG1_1_sha256_3072_65537_v3_usr_crt.pem: CN = SRK1_sha256_3072_65537_v3_ca
error 2 at 1 depth lookup:unable to get issuer certificate
Can anyone suggest me how to verify CSF & IMG certificates properly?
Greets,
Satya
解決済! 解決策の投稿を見る。
Hi,
I found the solution myself after a bit of googling. It's important to create the chain. So, I did the following
cat SRK1_sha256_3072_65537_v3_ca_crt.pem CA1_sha256_3072_65537_v3_ca_crt.pem > SRK1-CA-chain.pem
openssl verify -CAfile SRK1-CA-chain.pem CSF1_1_sha256_3072_65537_v3_usr_crt.pem
CSF1_1_sha256_3072_65537_v3_usr_crt.pem: OK
openssl verify -CAfile SRK1-CA-chain.pem IMG1_1_sha256_3072_65537_v3_usr_crt.pem
IMG1_1_sha256_3072_65537_v3_usr_crt.pem: OK
Greets,
Satya
Hello,
Hope the following helps.
Have a great day,
Yuri
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------
Thanks Yuri.
That is exactly what I did. I combined the certificates of CA and SRK1 into one (CA-SRK1-chain.pem) and then I used that to verify. It worked.
Greetsm
Satya
Hi,
I found the solution myself after a bit of googling. It's important to create the chain. So, I did the following
cat SRK1_sha256_3072_65537_v3_ca_crt.pem CA1_sha256_3072_65537_v3_ca_crt.pem > SRK1-CA-chain.pem
openssl verify -CAfile SRK1-CA-chain.pem CSF1_1_sha256_3072_65537_v3_usr_crt.pem
CSF1_1_sha256_3072_65537_v3_usr_crt.pem: OK
openssl verify -CAfile SRK1-CA-chain.pem IMG1_1_sha256_3072_65537_v3_usr_crt.pem
IMG1_1_sha256_3072_65537_v3_usr_crt.pem: OK
Greets,
Satya