[Operators] IM Observatory: Not recognising DigiCert root certificate

Robert Norris robn at fastmail.fm
Thu Oct 31 03:15:27 UTC 2013


On Thu, Oct 31, 2013, at 01:02 PM, Peter Saint-Andre wrote:
> Rob Norris! I was thinking about you just the other day while walking
> around the streets of Portland, Oregon. :-)

Wow, that was ten years ago this year. Feeling old yet?! :)

> openssl s_client -connect chat.messagingengine.com:5223 -CAfile
> DigiCertHighAssuranceECRootCA.crt
> 
> The result I get is:
> 
> "Verify return code: 20 (unable to get local issuer certificate)"

Yet when I do it:

  [robn at betaweb1 ~]$ openssl s_client -connect
  chat.messagingengine.com:5223 -CAfile
  DigiCertHighAssuranceEVRootCA.pem | head
  depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
  High Assurance EV Root CA
  verify return:1
  depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
  High Assurance CA-3
  verify return:1
  depth=0 C = NO, ST = Oslo, L = Oslo, O = Opera Software ASA, CN =
  *.messagingengine.com
  verify return:1

Looking at the cert file itself:

  [robn at betaweb1 ~]$ openssl x509 -text <
  DigiCertHighAssuranceEVRootCA.pem | grep -A1 Serial
          Serial Number:
              02:ac:5c:26:6a:0b:40:9b:8f:0b:79:f2:ae:46:25:77

Which matches what DigiCert give me here:

  https://www.digicert.com/digicert-root-certificates.htm

So I'm confused as to how we're getting different results. Where did you
get your copy of the root cert?


More information about the Operators mailing list