error 20 at 0 depth lookup:unable to get local issuer certificate error

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

error 20 at 0 depth lookup:unable to get local issuer certificate error

Oleg Smelkoff
Hi All!

I've encountered same problem such in this topic:
http://openssl.6102.n7.nabble.com/Getting-crazy-with-quot-error-20-at-0-depth-lookup-unable-to-get-local-issuer-certificate-error-quot-td21109.html#none
but it wasn't help me

I have 2 chains, and try to verify EE-certificates with CApath or CAfile (it
doesn't matter)

A.crt -> B.crt -> C1.crt -> D1.crt - works
A.crt -> B.crt -> C2.crt -> D2.crt - doesn't work (error 20 at 0 depth
lookup:unable to get local issuer certificate)

Please, pay attention that first two certificates in chain are the same

As well as the author of mentioned topic I checked following things of C and
D certificates:

1. Child's issuer = parent's subject (as well as their hashes)
2. Key usage of all parents certificates contains "Certificate Sign"
3. Serial in AKI section is the same as issuer's Serial Number
4. Authority Key Identifier = issuer's Subject Key identifier

As I tought, reason of that problem was incorrect AKID of EE-certificate,
cause AKID has to identify the issuer of the issuer, BUT

successful verification of my first chain disproves this! It has the same
structure and dependencies:

D2(failed):

X509v3 Authority Key Identifier:
    *keyid:AF:6E:6E:56:1A:20:C9:9A:C2:D8:40:BD:32:F7:1E:0C:D5:4C:52:EB*
   
DirName:/1.2.643.100.1=1069659052760/1.2.643.3.131.1.1=006659140843/C=RU/ST=66
\xD0\xA1\xD0\xB2\xD0\xB5\xD1\x80\xD0\xB4\xD0\xBB\xD0\xBE\xD0\xB2\xD1\x81\xD0\xBA\xD0\xB0\xD1\x8F
\xD0\xBE\xD0\xB1\xD0\xBB\xD0\xB0\xD1\x81\xD1\x82\xD1\x8C
    *serial:37:B8:F5:1B:00:03:00:00:07:DD*

C2(issuer of D2):

Serial Number:                    
    *37:b8:f5:1b:00:03:00:00:07:dd *
X509v3 Subject Key Identifier:                                    
    *AF:6E:6E:56:1A:20:C9:9A:C2:D8:40:BD:32:F7:1E:0C:D5:4C:52:EB*


D1(succeed):                                            

X509v3 Authority Key Identifier:
    *keyid:F3:9C:00:71:98:C6:B3:78:C4:D3:E8:C6:2A:7E:AA:DB:1D:16:B4:9C*
   
DirName:/1.2.643.3.131.1.1=007710474375/1.2.643.100.1=1047702026701/emailAddress=[hidden email]/street=125375
\xD0\xB3. \xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0 \xD1\x83\xD0\xBB.
\xD0\xA2\xD0\xB2\xD0\xB5\xD1\x80\xD1\x81\xD0\xBA\xD0\xB0\xD1\x8F \xD0\xB4.7
    *serial:4C:8A:31:03:00:03:00:00:08:11*

C1(issuer of D1):

Serial Number:                  
    *4c:8a:31:03:00:03:00:00:08:11*
X509v3 Subject Key Identifier:                                
    *F3:9C:00:71:98:C6:B3:78:C4:D3:E8:C6:2A:7E:AA:DB:1D:16:B4:9C*


Both of C1 and C2 has the same AKI section:

X509v3 Authority Key Identifier:                                                                          
    keyid:11:88:69:5E:EF:C8:E9:73:DB:7A:57:35:BC:D2:01:F3:05:FE:A7:D1                                      
    DirName:/emailAddress=[hidden email]/C=RU/ST=77 \xD0\xB3.
\xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/L=\xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0                                                                
    serial:EB:C1:05:54:00:00:00:00:00:59    

Could you help me, please. I'm really stucked at this problem :(

I also attach all certificates

A:                                                          
-----BEGIN CERTIFICATE-----
MIIFGTCCBMigAwIBAgIQNGgeQMtB7zOpoLfIdpKaKTAIBgYqhQMCAgMwggFKMR4w
HAYJKoZIhvcNAQkBFg9kaXRAbWluc3Z5YXoucnUxCzAJBgNVBAYTAlJVMRwwGgYD
VQQIDBM3NyDQsy4g0JzQvtGB0LrQstCwMRUwEwYDVQQHDAzQnNC+0YHQutCy0LAx
PzA9BgNVBAkMNjEyNTM3NSDQsy4g0JzQvtGB0LrQstCwLCDRg9C7LiDQotCy0LXR
gNGB0LrQsNGPLCDQtC4gNzEsMCoGA1UECgwj0JzQuNC90LrQvtC80YHQstGP0LfR
jCDQoNC+0YHRgdC40LgxGDAWBgUqhQNkARINMTA0NzcwMjAyNjcwMTEaMBgGCCqF
AwOBAwEBEgwwMDc3MTA0NzQzNzUxQTA/BgNVBAMMONCT0L7Qu9C+0LLQvdC+0Lkg
0YPQtNC+0YHRgtC+0LLQtdGA0Y/RjtGJ0LjQuSDRhtC10L3RgtGAMB4XDTEyMDcy
MDEyMzExNFoXDTI3MDcxNzEyMzExNFowggFKMR4wHAYJKoZIhvcNAQkBFg9kaXRA
bWluc3Z5YXoucnUxCzAJBgNVBAYTAlJVMRwwGgYDVQQIDBM3NyDQsy4g0JzQvtGB
0LrQstCwMRUwEwYDVQQHDAzQnNC+0YHQutCy0LAxPzA9BgNVBAkMNjEyNTM3NSDQ
sy4g0JzQvtGB0LrQstCwLCDRg9C7LiDQotCy0LXRgNGB0LrQsNGPLCDQtC4gNzEs
MCoGA1UECgwj0JzQuNC90LrQvtC80YHQstGP0LfRjCDQoNC+0YHRgdC40LgxGDAW
BgUqhQNkARINMTA0NzcwMjAyNjcwMTEaMBgGCCqFAwOBAwEBEgwwMDc3MTA0NzQz
NzUxQTA/BgNVBAMMONCT0L7Qu9C+0LLQvdC+0Lkg0YPQtNC+0YHRgtC+0LLQtdGA
0Y/RjtGJ0LjQuSDRhtC10L3RgtGAMGMwHAYGKoUDAgITMBIGByqFAwICIwEGByqF
AwICHgEDQwAEQI+lv3kQI8jWka1kMVdbvpvFioP0Pyn3Knmp+2XD6KgPWnXEIlSR
X8g/IYracDr51YsNc2KE3C7mkH6hA3M3ofujggGCMIIBfjCBxgYFKoUDZHAEgbww
gbkMI9Cf0JDQmtCcIMKr0JrRgNC40L/RgtC+0J/RgNC+IEhTTcK7DCDQn9CQ0Jog
wqvQk9C+0LvQvtCy0L3QvtC5INCj0KbCuww20JfQsNC60LvRjtGH0LXQvdC40LUg
4oSWIDE0OS8zLzIvMi05OTkg0L7RgiAwNS4wNy4yMDEyDDjQl9Cw0LrQu9GO0YfQ
tdC90LjQtSDihJYgMTQ5LzcvMS80LzItNjAzINC+0YIgMDYuMDcuMjAxMjAuBgUq
hQNkbwQlDCPQn9CQ0JrQnCDCq9Ca0YDQuNC/0YLQvtCf0YDQviBIU03CuzBDBgNV
HSAEPDA6MAgGBiqFA2RxATAIBgYqhQNkcQIwCAYGKoUDZHEDMAgGBiqFA2RxBDAI
BgYqhQNkcQUwBgYEVR0gADAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB
/zAdBgNVHQ4EFgQUi5g7iRhR6O+cAni46sjUILJVyV0wCAYGKoUDAgIDA0EA23Re
ec/Y27rpMi+iFbgWCazGY3skBTq5ZGsQKOUxCe4mO7UBDACiWqdA0nvqiQMXeHgq
o//fO9pxuIHtymwyMg==
-----END CERTIFICATE-----

B:
-----BEGIN CERTIFICATE-----
MIIGrDCCBlugAwIBAgILAOvBBVQAAAAAAFkwCAYGKoUDAgIDMIIBSjEeMBwGCSqG
SIb3DQEJARYPZGl0QG1pbnN2eWF6LnJ1MQswCQYDVQQGEwJSVTEcMBoGA1UECAwT
Nzcg0LMuINCc0L7RgdC60LLQsDEVMBMGA1UEBwwM0JzQvtGB0LrQstCwMT8wPQYD
VQQJDDYxMjUzNzUg0LMuINCc0L7RgdC60LLQsCwg0YPQuy4g0KLQstC10YDRgdC6
0LDRjywg0LQuIDcxLDAqBgNVBAoMI9Cc0LjQvdC60L7QvNGB0LLRj9C30Ywg0KDQ
vtGB0YHQuNC4MRgwFgYFKoUDZAESDTEwNDc3MDIwMjY3MDExGjAYBggqhQMDgQMB
ARIMMDA3NzEwNDc0Mzc1MUEwPwYDVQQDDDjQk9C+0LvQvtCy0L3QvtC5INGD0LTQ
vtGB0YLQvtCy0LXRgNGP0Y7RidC40Lkg0YbQtdC90YLRgDAeFw0xNjAzMTYxMjAy
NTFaFw0yNzA3MTIxMjAyNTFaMIIBITEaMBgGCCqFAwOBAwEBEgwwMDc3MTA0NzQz
NzUxGDAWBgUqhQNkARINMTA0NzcwMjAyNjcwMTEeMBwGCSqGSIb3DQEJARYPZGl0
QG1pbnN2eWF6LnJ1MTwwOgYDVQQJDDMxMjUzNzUg0LMuINCc0L7RgdC60LLQsCDR
g9C7LiDQotCy0LXRgNGB0LrQsNGPINC0LjcxLDAqBgNVBAoMI9Cc0LjQvdC60L7Q
vNGB0LLRj9C30Ywg0KDQvtGB0YHQuNC4MRUwEwYDVQQHDAzQnNC+0YHQutCy0LAx
HDAaBgNVBAgMEzc3INCzLiDQnNC+0YHQutCy0LAxCzAJBgNVBAYTAlJVMRswGQYD
VQQDDBLQo9CmIDEg0JjQoSDQk9Cj0KYwYzAcBgYqhQMCAhMwEgYHKoUDAgIjAQYH
KoUDAgIeAQNDAARAx70Y7WYQ4ODtdiSSx3MJnr1GQBEIExiPO/LWj1TRKES1OcDI
YgtdOBGVYSvbsStl10jkAOG0OpnGsd2by4m+LaOCA0MwggM/MA8GA1UdEwEB/wQF
MAMBAf8wHQYDVR0OBBYEFBGIaV7vyOlz23pXNbzSAfMF/qfRMAsGA1UdDwQEAwIB
hjCCAYsGA1UdIwSCAYIwggF+gBSLmDuJGFHo75wCeLjqyNQgslXJXaGCAVKkggFO
MIIBSjEeMBwGCSqGSIb3DQEJARYPZGl0QG1pbnN2eWF6LnJ1MQswCQYDVQQGEwJS
VTEcMBoGA1UECAwTNzcg0LMuINCc0L7RgdC60LLQsDEVMBMGA1UEBwwM0JzQvtGB
0LrQstCwMT8wPQYDVQQJDDYxMjUzNzUg0LMuINCc0L7RgdC60LLQsCwg0YPQuy4g
0KLQstC10YDRgdC60LDRjywg0LQuIDcxLDAqBgNVBAoMI9Cc0LjQvdC60L7QvNGB
0LLRj9C30Ywg0KDQvtGB0YHQuNC4MRgwFgYFKoUDZAESDTEwNDc3MDIwMjY3MDEx
GjAYBggqhQMDgQMBARIMMDA3NzEwNDc0Mzc1MUEwPwYDVQQDDDjQk9C+0LvQvtCy
0L3QvtC5INGD0LTQvtGB0YLQvtCy0LXRgNGP0Y7RidC40Lkg0YbQtdC90YLRgIIQ
NGgeQMtB7zOpoLfIdpKaKTBZBgNVHR8EUjBQMCagJKAihiBodHRwOi8vcm9zdGVs
ZWNvbS5ydS9jZHAvZ3VjLmNybDAmoCSgIoYgaHR0cDovL3JlZXN0ci1wa2kucnUv
Y2RwL2d1Yy5jcmwwJgYFKoUDZG8EHQwb0JrRgNC40L/RgtC+LdCf0YDQviBDU1Ag
My42MCUGA1UdIAQeMBwwCAYGKoUDZHEBMAgGBiqFA2RxAjAGBgRVHSAAMIHGBgUq
hQNkcASBvDCBuQwj0J/QkNCa0JwgwqvQmtGA0LjQv9GC0L7Qn9GA0L4gSFNNwrsM
INCf0JDQmiDCq9CT0L7Qu9C+0LLQvdC+0Lkg0KPQpsK7DDbQl9Cw0LrQu9GO0YfQ
tdC90LjQtSDihJYgMTQ5LzMvMi8yLTk5OSDQvtGCIDA1LjA3LjIwMTIMONCX0LDQ
utC70Y7Rh9C10L3QuNC1IOKEliAxNDkvNy8xLzQvMi02MDMg0L7RgiAwNi4wNy4y
MDEyMAgGBiqFAwICAwNBAKVYokUvb7XAMPJF38ZPKO2BFBldmGEfqsfmsiO35Y52
kTkx512H3YLqWMrOLjIfVMJhc+DTCNeXWY6bhK4/DRU=
-----END CERTIFICATE-----

C1:
-----BEGIN CERTIFICATE-----
MIIH1zCCB4agAwIBAgIKTIoxAwADAAAIETAIBgYqhQMCAgMwggEhMRowGAYIKoUD
A4EDAQESDDAwNzcxMDQ3NDM3NTEYMBYGBSqFA2QBEg0xMDQ3NzAyMDI2NzAxMR4w
HAYJKoZIhvcNAQkBFg9kaXRAbWluc3Z5YXoucnUxPDA6BgNVBAkMMzEyNTM3NSDQ
sy4g0JzQvtGB0LrQstCwINGD0LsuINCi0LLQtdGA0YHQutCw0Y8g0LQuNzEsMCoG
A1UECgwj0JzQuNC90LrQvtC80YHQstGP0LfRjCDQoNC+0YHRgdC40LgxFTATBgNV
BAcMDNCc0L7RgdC60LLQsDEcMBoGA1UECAwTNzcg0LMuINCc0L7RgdC60LLQsDEL
MAkGA1UEBhMCUlUxGzAZBgNVBAMMEtCj0KYgMSDQmNChINCT0KPQpjAeFw0xNjEy
MDExMDU2MDBaFw0yNjEyMDExMTA2MDBaMIIBbDEYMBYGBSqFA2QBEg0xMDI3NzAw
MDcxNTMwMRowGAYIKoUDA4EDAQESDDAwNzcwNDIxMTIwMTELMAkGA1UEBhMCUlUx
GDAWBgNVBAgMDzc3INCc0L7RgdC60LLQsDEVMBMGA1UEBwwM0JzQvtGB0LrQstCw
MTkwNwYDVQQJDDDQkdCw0YDRi9C60L7QstGB0LrQuNC5INC/0LXRgC4sINC0LiA0
LCDRgdGC0YAuIDIxMDAuBgNVBAsMJ9Cj0LTQvtGB0YLQvtCy0LXRgNGP0Y7RidC4
0Lkg0YbQtdC90YLRgDFnMGUGA1UECgxe0J7QsdGJ0LXRgdGC0LLQviDRgSDQvtCz
0YDQsNC90LjRh9C10L3QvdC+0Lkg0L7RgtCy0LXRgtGB0YLQstC10L3QvdC+0YHR
gtGM0Y4gItCi0LDQutGB0LrQvtC8IjEgMB4GA1UEAwwX0J7QntCeICLQotCw0LrR
gdC60L7QvCIwYzAcBgYqhQMCAhMwEgYHKoUDAgIjAQYHKoUDAgIeAQNDAARAI2Eo
W/uf7LDxoLQvD/N+aiV4rGcGbWp+YO/+KZiR0kmRU0p2zpRLVMpSaOs2V1fVwKLI
Zq4PELFV1DxH/MP9Q6OCBE0wggRJMAsGA1UdDwQEAwIBhjAdBgNVHQ4EFgQU85wA
cZjGs3jE0+jGKn6q2x0WtJwwEgYDVR0TAQH/BAgwBgEB/wIBADAlBgNVHSAEHjAc
MAYGBFUdIAAwCAYGKoUDZHEBMAgGBiqFA2RxAjA2BgUqhQNkbwQtDCsi0JrRgNC4
0L/RgtC+0J/RgNC+IENTUCIgKNCy0LXRgNGB0LjRjyA0LjApMBAGCSsGAQQBgjcV
AQQDAgEAMIIBhgYDVR0jBIIBfTCCAXmAFBGIaV7vyOlz23pXNbzSAfMF/qfRoYIB
UqSCAU4wggFKMR4wHAYJKoZIhvcNAQkBFg9kaXRAbWluc3Z5YXoucnUxCzAJBgNV
BAYTAlJVMRwwGgYDVQQIDBM3NyDQsy4g0JzQvtGB0LrQstCwMRUwEwYDVQQHDAzQ
nNC+0YHQutCy0LAxPzA9BgNVBAkMNjEyNTM3NSDQsy4g0JzQvtGB0LrQstCwLCDR
g9C7LiDQotCy0LXRgNGB0LrQsNGPLCDQtC4gNzEsMCoGA1UECgwj0JzQuNC90LrQ
vtC80YHQstGP0LfRjCDQoNC+0YHRgdC40LgxGDAWBgUqhQNkARINMTA0NzcwMjAy
NjcwMTEaMBgGCCqFAwOBAwEBEgwwMDc3MTA0NzQzNzUxQTA/BgNVBAMMONCT0L7Q
u9C+0LLQvdC+0Lkg0YPQtNC+0YHRgtC+0LLQtdGA0Y/RjtGJ0LjQuSDRhtC10L3R
gtGAggsA68EFVAAAAAAAWTBhBgNVHR8EWjBYMCqgKKAmhiRodHRwOi8vcm9zdGVs
ZWNvbS5ydS9jZHAvdmd1YzFfNC5jcmwwKqAooCaGJGh0dHA6Ly9yZWVzdHItcGtp
LnJ1L2NkcC92Z3VjMV80LmNybDByBggrBgEFBQcBAQRmMGQwMAYIKwYBBQUHMAKG
JGh0dHA6Ly9yb3N0ZWxlY29tLnJ1L2NkcC92Z3VjMV80LmNydDAwBggrBgEFBQcw
AoYkaHR0cDovL3JlZXN0ci1wa2kucnUvY2RwL3ZndWMxXzQuY3J0MIIBMwYFKoUD
ZHAEggEoMIIBJAwrItCa0YDQuNC/0YLQvtCf0YDQviBDU1AiICjQstC10YDRgdC4
0Y8gMy42KQxTItCj0LTQvtGB0YLQvtCy0LXRgNGP0Y7RidC40Lkg0YbQtdC90YLR
gCAi0JrRgNC40L/RgtC+0J/RgNC+INCj0KYiINCy0LXRgNGB0LjQuCAxLjUMT9Ch
0LXRgNGC0LjRhNC40LrQsNGCINGB0L7QvtGC0LLQtdGC0YHRgtCy0LjRjyDihJYg
0KHQpC8xMjQtMjczOCDQvtGCIDAxLjA3LjIwMTUMT9Ch0LXRgNGC0LjRhNC40LrQ
sNGCINGB0L7QvtGC0LLQtdGC0YHRgtCy0LjRjyDihJYg0KHQpC8xMjgtMjc2OCDQ
vtGCIDMxLjEyLjIwMTUwCAYGKoUDAgIDA0EAfHo7cQrmbd+zpThemGuW5vTYi3ys
pvM1qTBSWDsohYXYVJbbnLKdUWGU1PN+wdFeGd5NtzfTu7DM2ESu3FCjAQ==
-----END CERTIFICATE-----

D1:
-----BEGIN CERTIFICATE-----
MIIIfTCCCCygAwIBAgIQBSCpesQMzIDmEX7oOsNlwzAIBgYqhQMCAgMwggFsMRgw
FgYFKoUDZAESDTEwMjc3MDAwNzE1MzAxGjAYBggqhQMDgQMBARIMMDA3NzA0MjEx
MjAxMQswCQYDVQQGEwJSVTEYMBYGA1UECAwPNzcg0JzQvtGB0LrQstCwMRUwEwYD
VQQHDAzQnNC+0YHQutCy0LAxOTA3BgNVBAkMMNCR0LDRgNGL0LrQvtCy0YHQutC4
0Lkg0L/QtdGALiwg0LQuIDQsINGB0YLRgC4gMjEwMC4GA1UECwwn0KPQtNC+0YHR
gtC+0LLQtdGA0Y/RjtGJ0LjQuSDRhtC10L3RgtGAMWcwZQYDVQQKDF7QntCx0YnQ
tdGB0YLQstC+INGBINC+0LPRgNCw0L3QuNGH0LXQvdC90L7QuSDQvtGC0LLQtdGC
0YHRgtCy0LXQvdC90L7RgdGC0YzRjiAi0KLQsNC60YHQutC+0LwiMSAwHgYDVQQD
DBfQntCe0J4gItCi0LDQutGB0LrQvtC8IjAeFw0xNzAyMDExMjUzMDNaFw0xODAy
MDExMzAzMDNaMIIB9jEZMBcGCSqGSIb3DQEJARYKc2FzQGF0aS5zdTEaMBgGCCqF
AwOBAwEBEgwwMDc4MDI4NjYxNTcxFjAUBgUqhQNkAxILMDY1Mjk5MTk4MDMxGDAW
BgUqhQNkARINMTE0Nzg0NzI1NTgzMDEwMC4GA1UEDAwn0JPQldCd0JXQoNCQ0JvQ
rNCd0KvQmSDQlNCY0KDQldCa0KLQntCgMSEwHwYDVQQKDBjQntCe0J4gItCQ0KLQ
mC3QlNCe0JrQmCIxXTBbBgNVBAkMVNC/0YAt0LrRgiDQotCe0KDQldCX0JAsINCU
0J7QnCAzOSwg0JrQntCg0J/Qo9ChIDEg0JvQmNCiINCQLCDQn9Ce0JzQldCp0JXQ
ndCY0JUgMy3QnTEpMCcGA1UEBwwg0LMg0KHQkNCd0JrQoi3Qn9CV0KLQldCg0JHQ
o9Cg0JMxLTArBgNVBAgMJDc4INCzLiDQodCw0L3QutGCLdCf0LXRgtC10YDQsdGD
0YDQszELMAkGA1UEBhMCUlUxNjA0BgNVBCoMLdCQ0JvQldCa0KHQkNCd0JTQoCDQ
ktCe0JvQrNCU0JXQnNCQ0KDQntCS0JjQpzEVMBMGA1UEBAwM0JLQmNCb0KzQlNCV
MSEwHwYDVQQDDBjQntCe0J4gItCQ0KLQmC3QlNCe0JrQmCIwYzAcBgYqhQMCAhMw
EgYHKoUDAgIkAAYHKoUDAgIeAQNDAARAwF9C9QRWHrdxf8ZMm3/+Ipn+0PPua+td
ClphTcBwuwC5CWZ1XGI2sCa/+b6UKUknvmtZBHZ+EfhNQakFflGZr6OCBBgwggQU
MB8GCSsGAQQBgjcVBwQSMBAGCCqFAwICLgAIAgEBAgEAMIIBXAYDVR0jBIIBUzCC
AU+AFPOcAHGYxrN4xNPoxip+qtsdFrScoYIBKaSCASUwggEhMRowGAYIKoUDA4ED
AQESDDAwNzcxMDQ3NDM3NTEYMBYGBSqFA2QBEg0xMDQ3NzAyMDI2NzAxMR4wHAYJ
KoZIhvcNAQkBFg9kaXRAbWluc3Z5YXoucnUxPDA6BgNVBAkMMzEyNTM3NSDQsy4g
0JzQvtGB0LrQstCwINGD0LsuINCi0LLQtdGA0YHQutCw0Y8g0LQuNzEsMCoGA1UE
Cgwj0JzQuNC90LrQvtC80YHQstGP0LfRjCDQoNC+0YHRgdC40LgxFTATBgNVBAcM
DNCc0L7RgdC60LLQsDEcMBoGA1UECAwTNzcg0LMuINCc0L7RgdC60LLQsDELMAkG
A1UEBhMCUlUxGzAZBgNVBAMMEtCj0KYgMSDQmNChINCT0KPQpoIKTIoxAwADAAAI
ETAdBgNVHQ4EFgQUOSt9b81QhkfU3mI3Q2VTAi57wPwwDgYDVR0PAQH/BAQDAgP4
MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAdBgNVHSAEFjAUMAgGBiqF
A2RxATAIBgYqhQNkcQIwggEUBgUqhQNkcASCAQkwggEFDCsi0JrRgNC40L/RgtC+
0J/RgNC+IENTUCIgKNCy0LXRgNGB0LjRjyA0LjApDCwi0JrRgNC40L/RgtC+0J/R
gNC+INCj0KYiICjQstC10YDRgdC40Y8gMi4wKQxX0KHQtdGA0YLQuNGE0LjQutCw
0YIg0YHQvtC+0YLQstC10YLRgdGC0LLQuNGPINCh0KQvMTI0LTI4NjQg0L7RgiAy
MCDQvNCw0YDRgtCwIDIwMTYg0LMuDE/QodC10YDRgtC40YTQuNC60LDRgiDRgdC+
0L7RgtCy0LXRgtGB0YLQstC40Y8g0KHQpC8xMjgtMjk4MyDQvtGCIDE4LjExLjIw
MTYg0LMuMCMGBSqFA2RvBBoMGCLQmtGA0LjQv9GC0L7Qn9GA0L4gQ1NQIjBSBgNV
HR8ESzBJMEegRaBDhkFodHRwOi8vY3JsLnRheGNvbS5ydS9mMzljMDA3MTk4YzZi
Mzc4YzRkM2U4YzYyYTdlYWFkYjFkMTZiNDljLmNybDCBkgYIKwYBBQUHAQEEgYUw
gYIwMQYIKwYBBQUHMAGGJWh0dHA6Ly9vY3NwMjAudGF4Y29tLnJ1L29jc3Avb2Nz
cC5zcmYwTQYIKwYBBQUHMAKGQWh0dHA6Ly9jcmwudGF4Y29tLnJ1L2YzOWMwMDcx
OThjNmIzNzhjNGQzZThjNjJhN2VhYWRiMWQxNmI0OWMuY3J0MAgGBiqFAwICAwNB
AFVLUBvs3iRZuQiDcLVmlSYRM5P5b+RTbAAsT7mwJ9Zt/0wy8TjWSZ9v00Mt6s4v
62yBNWuCdWYrxj5ZupGe/Tg=
-----END CERTIFICATE-----

C2:
-----BEGIN CERTIFICATE-----
MIIHtzCCB2agAwIBAgIKN7j1GwADAAAH3TAIBgYqhQMCAgMwggEhMRowGAYIKoUD
A4EDAQESDDAwNzcxMDQ3NDM3NTEYMBYGBSqFA2QBEg0xMDQ3NzAyMDI2NzAxMR4w
HAYJKoZIhvcNAQkBFg9kaXRAbWluc3Z5YXoucnUxPDA6BgNVBAkMMzEyNTM3NSDQ
sy4g0JzQvtGB0LrQstCwINGD0LsuINCi0LLQtdGA0YHQutCw0Y8g0LQuNzEsMCoG
A1UECgwj0JzQuNC90LrQvtC80YHQstGP0LfRjCDQoNC+0YHRgdC40LgxFTATBgNV
BAcMDNCc0L7RgdC60LLQsDEcMBoGA1UECAwTNzcg0LMuINCc0L7RgdC60LLQsDEL
MAkGA1UEBhMCUlUxGzAZBgNVBAMMEtCj0KYgMSDQmNChINCT0KPQpjAeFw0xNjEx
MDIxMzI0MDBaFw0yNjExMDIxMzM0MDBaMIIBTDEYMBYGBSqFA2QBEg0xMDY5NjU5
MDUyNzYwMRowGAYIKoUDA4EDAQESDDAwNjY1OTE0MDg0MzELMAkGA1UEBhMCUlUx
MzAxBgNVBAgMKjY2INCh0LLQtdGA0LTQu9C+0LLRgdC60LDRjyDQvtCx0LvQsNGB
0YLRjDEhMB8GA1UEBwwY0JXQutCw0YLQtdGA0LjQvdCx0YPRgNCzMS8wLQYDVQQJ
DCbRg9C7LiDQn9C10YDQstC+0LzQsNC50YHQutCw0Y8sINC0LiAxNTEwMC4GA1UE
Cwwn0KPQtNC+0YHRgtC+0LLQtdGA0Y/RjtGJ0LjQuSDRhtC10L3RgtGAMSIwIAYD
VQQKDBnQntCe0J4gItCc0J7QodCi0JjQndCk0J4iMSgwJgYDVQQDDB/Qn9C+0LTR
h9C40L3QtdC90L3Ri9C5INCj0KYgMi4wMGMwHAYGKoUDAgITMBIGByqFAwICIwEG
ByqFAwICHgEDQwAEQCAeNYx2wmrF27FTyRagEYihHd3l+8aDqPae3mcnlXl6XywB
rtNOTv6bIH4EhesiusiRvmvzCx5qJ7yU4xCN6VCjggRNMIIESTALBgNVHQ8EBAMC
AYYwHQYDVR0OBBYEFK9ublYaIMmawthAvTL3HgzVTFLrMBIGA1UdEwEB/wQIMAYB
Af8CAQAwJQYDVR0gBB4wHDAGBgRVHSAAMAgGBiqFA2RxATAIBgYqhQNkcQIwggEz
BgUqhQNkcASCASgwggEkDCsi0JrRgNC40L/RgtC+0J/RgNC+IENTUCIgKNCy0LXR
gNGB0LjRjyAzLjYpDFMi0KPQtNC+0YHRgtC+0LLQtdGA0Y/RjtGJ0LjQuSDRhtC1
0L3RgtGAICLQmtGA0LjQv9GC0L7Qn9GA0L4g0KPQpiIg0LLQtdGA0YHQuNC4IDEu
NQxP0KHQtdGA0YLQuNGE0LjQutCw0YIg0YHQvtC+0YLQstC10YLRgdGC0LLQuNGP
IOKEliDQodCkLzEyNC0yNzM4INC+0YIgMDEuMDcuMjAxNQxP0KHQtdGA0YLQuNGE
0LjQutCw0YIg0YHQvtC+0YLQstC10YLRgdGC0LLQuNGPIOKEliDQodCkLzEyOC0y
NzY4INC+0YIgMzEuMTIuMjAxNTA2BgUqhQNkbwQtDCsi0JrRgNC40L/RgtC+0J/R
gNC+IENTUCIgKNCy0LXRgNGB0LjRjyAzLjkpMBAGCSsGAQQBgjcVAQQDAgEAMIIB
hgYDVR0jBIIBfTCCAXmAFBGIaV7vyOlz23pXNbzSAfMF/qfRoYIBUqSCAU4wggFK
MR4wHAYJKoZIhvcNAQkBFg9kaXRAbWluc3Z5YXoucnUxCzAJBgNVBAYTAlJVMRww
GgYDVQQIDBM3NyDQsy4g0JzQvtGB0LrQstCwMRUwEwYDVQQHDAzQnNC+0YHQutCy
0LAxPzA9BgNVBAkMNjEyNTM3NSDQsy4g0JzQvtGB0LrQstCwLCDRg9C7LiDQotCy
0LXRgNGB0LrQsNGPLCDQtC4gNzEsMCoGA1UECgwj0JzQuNC90LrQvtC80YHQstGP
0LfRjCDQoNC+0YHRgdC40LgxGDAWBgUqhQNkARINMTA0NzcwMjAyNjcwMTEaMBgG
CCqFAwOBAwEBEgwwMDc3MTA0NzQzNzUxQTA/BgNVBAMMONCT0L7Qu9C+0LLQvdC+
0Lkg0YPQtNC+0YHRgtC+0LLQtdGA0Y/RjtGJ0LjQuSDRhtC10L3RgtGAggsA68EF
VAAAAAAAWTBhBgNVHR8EWjBYMCqgKKAmhiRodHRwOi8vcm9zdGVsZWNvbS5ydS9j
ZHAvdmd1YzFfNC5jcmwwKqAooCaGJGh0dHA6Ly9yZWVzdHItcGtpLnJ1L2NkcC92
Z3VjMV80LmNybDByBggrBgEFBQcBAQRmMGQwMAYIKwYBBQUHMAKGJGh0dHA6Ly9y
b3N0ZWxlY29tLnJ1L2NkcC92Z3VjMV80LmNydDAwBggrBgEFBQcwAoYkaHR0cDov
L3JlZXN0ci1wa2kucnUvY2RwL3ZndWMxXzQuY3J0MAgGBiqFAwICAwNBAP6WX0KR
Sha1QVWkVQ+aLO2vs87eBzXRInO1R2YOHnFEc5a9VOLe8z4LuTpEdxqIgIRKv11w
4RaGMUe7diNjMMY=
-----END CERTIFICATE-----

D2:
-----BEGIN CERTIFICATE-----
MIIJYDCCCQ+gAwIBAgIQCQfZSDAAx4DnEYOBal0xqzAIBgYqhQMCAgMwggFMMRgw
FgYFKoUDZAESDTEwNjk2NTkwNTI3NjAxGjAYBggqhQMDgQMBARIMMDA2NjU5MTQw
ODQzMQswCQYDVQQGEwJSVTEzMDEGA1UECAwqNjYg0KHQstC10YDQtNC70L7QstGB
0LrQsNGPINC+0LHQu9Cw0YHRgtGMMSEwHwYDVQQHDBjQldC60LDRgtC10YDQuNC9
0LHRg9GA0LMxLzAtBgNVBAkMJtGD0LsuINCf0LXRgNCy0L7QvNCw0LnRgdC60LDR
jywg0LQuIDE1MTAwLgYDVQQLDCfQo9C00L7RgdGC0L7QstC10YDRj9GO0YnQuNC5
INGG0LXQvdGC0YAxIjAgBgNVBAoMGdCe0J7QniAi0JzQntCh0KLQmNCd0KTQniIx
KDAmBgNVBAMMH9Cf0L7QtNGH0LjQvdC10L3QvdGL0Lkg0KPQpiAyLjAwHhcNMTcw
ODE1MDYyMzM4WhcNMTgwODE1MDYzMzM4WjCCAaoxIDAeBgkqhkiG9w0BCQEWEWNr
QHNtYXprYS5wZXJtLnJ1MRowGAYIKoUDA4EDAQESDDAwNTkwNTA1MjE5NTEWMBQG
BSqFA2QDEgswMjg5OTA4MjE5OTEYMBYGBSqFA2QBEg0xMTc1OTU4MDE5NzA5MRkw
FwYDVQQMDBDQlNC40YDQtdC60YLQvtGAMQowCAYDVQQLEwEwMRYwFAYDVQQKDA3Q
ntCe0J4gJ9Ch0JonMSwwKgYDVQQJDCPRg9C7LtCd0L7RgNC40LvRjNGB0LrQsNGP
LCDQtC44LTIwNzETMBEGA1UEBwwK0J/QtdGA0LzRjDElMCMGA1UECAwcNTkg0J/Q
tdGA0LzRgdC60LjQuSDQutGA0LDQuTELMAkGA1UEBhMCUlUxLjAsBgNVBCoMJdCh
0LXRgNCz0LXQuSDQktC70LDQtNC40LzQuNGA0L7QstC40YcxFTATBgNVBAQMDNCg
0LXQvdGG0L7QsjE7MDkGA1UEAwwy0KDQtdC90YbQvtCyINCh0LXRgNCz0LXQuSDQ
ktC70LDQtNC40LzQuNGA0L7QstC40YcwYzAcBgYqhQMCAhMwEgYHKoUDAgIkAAYH
KoUDAgIeAQNDAARAd+g9OFdrHY+7M/A/e5AH/u9Mq/JMwTub4DfWygPXCwfmINjV
8LHUFm+j8UdxV2obGO8K5UR6ZY25q0o7zJKK/aOCBWcwggVjMA4GA1UdDwEB/wQE
AwIE8DA6BgNVHSUEMzAxBggrBgEFBQcDAgYIKwYBBQUHAwQGByqFAwICIgYGBiqF
A2RxAgYKKwYBBAGCNwoGAjAdBgNVHSAEFjAUMAgGBiqFA2RxATAIBgYqhQNkcQIw
HQYDVR0OBBYEFJwfT06tiM97gvUHQMd64r7GUj32MIIBhwYDVR0jBIIBfjCCAXqA
FK9ublYaIMmawthAvTL3HgzVTFLroYIBVKSCAVAwggFMMRgwFgYFKoUDZAESDTEw
Njk2NTkwNTI3NjAxGjAYBggqhQMDgQMBARIMMDA2NjU5MTQwODQzMQswCQYDVQQG
EwJSVTEzMDEGA1UECAwqNjYg0KHQstC10YDQtNC70L7QstGB0LrQsNGPINC+0LHQ
u9Cw0YHRgtGMMSEwHwYDVQQHDBjQldC60LDRgtC10YDQuNC90LHRg9GA0LMxLzAt
BgNVBAkMJtGD0LsuINCf0LXRgNCy0L7QvNCw0LnRgdC60LDRjywg0LQuIDE1MTAw
LgYDVQQLDCfQo9C00L7RgdGC0L7QstC10YDRj9GO0YnQuNC5INGG0LXQvdGC0YAx
IjAgBgNVBAoMGdCe0J7QniAi0JzQntCh0KLQmNCd0KTQniIxKDAmBgNVBAMMH9Cf
0L7QtNGH0LjQvdC10L3QvdGL0Lkg0KPQpiAyLjCCCje49RsAAwAAB90wSgYJKwYB
BAGCNxUKBD0wOzAKBggrBgEFBQcDAjAKBggrBgEFBQcDBDAJBgcqhQMCAiIGMAgG
BiqFA2RxAjAMBgorBgEEAYI3CgYCMIIBNAYFKoUDZHAEggEpMIIBJQwrItCa0YDQ
uNC/0YLQvtCf0YDQviBDU1AiICjQstC10YDRgdC40Y8gMy45KQxUItCj0LTQvtGB
0YLQvtCy0LXRgNGP0Y7RidC40Lkg0YbQtdC90YLRgCAi0JrRgNC40L/RgtC+0J/R
gNC+INCj0KYiINCy0LXRgNGB0LjQuCAyLjAiDE/QodC10YDRgtC40YTQuNC60LDR
giDRgdC+0L7RgtCy0LXRgtGB0YLQstC40Y8g4oSWINCh0KQvMTE0LTI1Mzgg0L7R
giAxNS4wMS4yMDE1DE/QodC10YDRgtC40YTQuNC60LDRgiDRgdC+0L7RgtCy0LXR
gtGB0YLQstC40Y8g4oSWINCh0KQvMTI4LTI4ODEg0L7RgiAxMi4wNC4yMDE2MDYG
BSqFA2RvBC0MKyLQmtGA0LjQv9GC0L7Qn9GA0L4gQ1NQIiAo0LLQtdGA0YHQuNGP
IDMuOSkwYgYHKoUDAgIxAgRXMFUwRRYYaHR0cDovL21vc3QtaW5mby5ydS9mbDIv
DCXQmNChICLQrdCfINCc0L7RgdGC0LjQvdGE0L4g0KTQmyB2Mi4wAwIF4AQMhhZI
EBBIvlKdz2HqMDQGCSsGAQQBgjcVBwQnMCUGHSqFAwICMgEJg+eiDoKnsB6FgYJ0
h4XGAYKgc9FeAgEBAgEAMHEGA1UdHwRqMGgwMaAvoC2GK2Z0cDovL25hbG9nLm1v
c3QtaW5mby5ydS9jYV9tb3N0aW5mb18yMC5jcmwwM6AxoC+GLWh0dHA6Ly9tb3N0
LWluZm8ucnUvcHVibGljL2NhX21vc3RpbmZvXzIwLmNybDCBggYIKwYBBQUHAQEE
djB0MDgGCCsGAQUFBzABhixodHRwOi8vd3d3Lm9jc3AyMC5tb3N0LWluZm8ucnUv
b2NzcC9vY3NwLnNyZjA4BggrBgEFBQcwAoYsaHR0cDovL21vc3QtaW5mby5ydS9w
dWJsaWMvY2FfbW9zdGluZm8yMC5jcnQwCAYGKoUDAgIDA0EAmvKwV/eLCwJ5v59N
+XoEws6PfEWWYrQzgsZ4kdzIJ679n6ep96SJYyvRa82BBukx9J7oG0Kmx8j2gKE2
xJOkvw==
-----END CERTIFICATE-----

--
Oleg Smelkov
[hidden email]



--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: error 20 at 0 depth lookup:unable to get local issuer certificate error

Viktor Dukhovni


> On Jan 25, 2018, at 4:59 AM, Oleg Smelkoff <[hidden email]> wrote:
>
> As I tought, reason of that problem was incorrect AKID of EE-certificate,
> cause AKID has to identify the issuer of the issuer,

That is indeed the problem, but your statement above is not accurate.
In the AKID extension the following rules apply:

   (See https://tools.ietf.org/html/rfc5280#section-4.2.1.1)

   1. The "keyIdentifier" (keyid), if present, must match the subject key
      ID of the issuing CA's certificate (not the issuer of the issuer)

   2. The "authorityCertSerialNumber", if present, must match the serial
      number of issuing CA's certificate (not the issuer of the issuer)

   3. The "authorityCertIssuer" (DirName), if present, must match the
      issuer DN of the issuing CA's certificate.

It is part 3 that is perhaps confusing you a bit, because it is also
the subject DN of the issuing CA's issuer.

> Could you help me, please. I'm really stucked at this problem :(

The above requirements are not met by D2, because C2's issuer:

  OBJECT            :INN
  NUMERICSTRING     :007710474375
  OBJECT            :OGRN
  NUMERICSTRING     :1047702026701
  OBJECT            :emailAddress
  IA5STRING         :[hidden email]
  OBJECT            :streetAddress
  UTF8STRING        :125375 г. Москва ул. Тверская д.7
  OBJECT            :organizationName
  UTF8STRING        :Минкомсвязь России
  OBJECT            :localityName
  UTF8STRING        :Москва
  OBJECT            :stateOrProvinceName
  UTF8STRING        :77 г. Москва
  OBJECT            :countryName
  PRINTABLESTRING   :RU
  OBJECT            :commonName
  UTF8STRING        :УЦ 1 ИС ГУЦ

Does not match D2's AKID DirName:

  OBJECT            :OGRN
  NUMERICSTRING     :1069659052760
  OBJECT            :INN
  NUMERICSTRING     :006659140843
  OBJECT            :countryName
  PRINTABLESTRING   :RU
  OBJECT            :stateOrProvinceName
  UTF8STRING        :66 Свердловская область
  OBJECT            :localityName
  UTF8STRING        :Екатеринбург
  OBJECT            :streetAddress
  UTF8STRING        :ул. Первомайская, д. 15
  OBJECT            :organizationalUnitName
  UTF8STRING        :Удостоверяющий центр
  OBJECT            :organizationName
  UTF8STRING        :ООО "МОСТИНФО"
  OBJECT            :commonName
  UTF8STRING        :Подчиненный УЦ 2.0

While D1's AKID DirName is:

  OBJECT            :INN
  NUMERICSTRING     :007710474375
  OBJECT            :OGRN
  NUMERICSTRING     :1047702026701
  OBJECT            :emailAddress
  IA5STRING         :[hidden email]
  OBJECT            :streetAddress
  UTF8STRING        :125375 г. Москва ул. Тверская д.7
  OBJECT            :organizationName
  UTF8STRING        :Минкомсвязь России
  OBJECT            :localityName
  UTF8STRING        :Москва
  OBJECT            :stateOrProvinceName
  UTF8STRING        :77 г. Москва
  OBJECT            :countryName
  PRINTABLESTRING   :RU
  OBJECT            :commonName
  UTF8STRING        :УЦ 1 ИС ГУЦ

which does match the C1's and C2's common issuer DN, that is, B's subject DN.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users