As I learn more about Certificate Authorities… I am keen to better equip myself to verify the validity of certificates.
I found the following command in one of the examples that was associated with building a new certificate authority.
openssl verify -CAfile intermediate/certs/ca-chain.cert.pem
So… I thought to adapt this and test it out using the certificates created by OpenZiti.
openssl verify -CAfile /home/opc/.ziti/quickstart/instance-20220416-1603/pki/22.214.171.124-intermediate/certs/126.96.36.199-server.chain.pem /home/opc/.ziti/quickstart/instance-20220416-1603/pki/routers/instance-20220416-1603-edge-router/server.cert
However, I must be doing something wrong… as I get the following error.
C = US, ST = NC, L = Charlotte, O = NetFoundry, OU = Ziti, CN = 8Zo-gTL0Ck error 20 at 0 depth lookup: unable to get local issuer certificate error /home/opc/.ziti/quickstart/instance-20220416-1603/pki/routers/instance-20220416-1603-edge-router/server.cert: verification failed
Any tips on how to resolve this… maybe the intermediate certs are not the right ones to use… would it be the signing certs instead?
If so… what is the difference between the intermediate and signing certs.
Any guidance on the will be greatly appreciated… I am quite overwhelmed with all of the technical aspects associated with a Certificate Authority… and need a few high level pointers to navigate.
In the future, I plan to integrate my own Certificate Authority… and implement a regular refresh of the certificates… but that is a bit further down the road for me at the moment.