0

Where can i find the EssentialSSL Intermediate CA?

I downloaded the bundle from https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/979/108/domain-validation-sha-2 , then executed this in my mac

cat comodo-rsa-domain-validation-sha-2-w-root.ca-bundle /usr/local/etc/openssl/cert.pem  > allcacerts.crt

Then I verified my EssentialSSL cert via

openssl verify -CAfile allcacerts.crt example_com.crt

But I get a 

example_com.crt: OU = Domain Control Validated, OU = Hosted by Crazy Domains FZ-LLC, OU = EssentialSSL, CN = example.com
error 20 at 0 depth lookup:unable to get local issuer certificate

Additional Info: I downloaded the Intermediate CA for EssentialSSL and tried it on the certificate that I got and I still was not able to verify it. Seems like the Intermediate CA for this EssentialSSL needs to come from the original vendor CrazyDomains.com.au which I'm still in the process of getting. But if you can direct me where I can get that, that would be great. Thanks!

Franz See
  • 189
  • 2
  • 5
  • 10
  • 1
    Firstly, it's an intermediate certificate, not a CA; CAs, by definition, are at roots. Secondly, where did you get your EssentialSSL certificate? They're the most likely people to have a copy of the intermediate certificate, as they have the intermediate signing key that corresponds to it. – MadHatter Apr 15 '16 at 15:02
  • 1
    @MadHatter: nitpicking, but a CA is simply something which can issue certificates. A CA can be a Root-CA or an intermediate CA. See also [Wikipedia](https://en.wikipedia.org/wiki/Certificate_authority#Overview). – Steffen Ullrich Apr 15 '16 at 15:45
  • @SteffenUllrich on reflection, I agree with your nitpicking. Nevertheless, unless he's looking for a building containing engineers, he doesn't want an intermediate CA (the entity that issues certificates), he wants an intermediate certificate (a specific thing issued by such an entity). And I still think the best place to get that is from that CA! – MadHatter Apr 15 '16 at 15:49
  • @MadHatter: not really - he wants a trusted CA. This does not need to be a common root CA. Everything which is in the CA store (`-CAfile`) is considered trusted. But I guess there is something else wrong and without having a closer look at the certificates he uses it is impossible to say what the problem is. I think what he is actually trying to do is use the CA bundle as intermediates but somehow he did not got the bundle which fits his leaf certificate. – Steffen Ullrich Apr 15 '16 at 15:52
  • @SteffenUllrich he's pretty clear that he wants an intermediate certificate, though I think he asks for it by the wrong name. I think that's what he wants, too, and only the issuer can reliably give it to him, because one and only one intermediate certificate will link his leaf certificate to something likely to be in the trusted root bundle. If you think he wants or needs something else, feel free to write an answer. I agree that this would go a lot quicker if he posted the leaf certificate in question. – MadHatter Apr 15 '16 at 16:13
  • @MadHatter : Thanks. it came from our client. Apologies :) I may be asking for the wrong thing. Honestly, what I want is for that thing to just work on a firefox :D – Franz See Apr 15 '16 at 23:40
  • @SteffenUllrich : Apologies :) I may be asking for the wrong thing. Honestly, what I want is for that thing to just work on a firefox :D – Franz See Apr 15 '16 at 23:41
  • @FranzSee: let me guess: you have a web server and somehow it does not serve any or not the proper intermediate CA. You've tried to fix this and failed. My guess is that you are using the wrong intermediate but w/o having any access to the leaf certificate (i.e. certificate or URL using this certificate) it is impossible to say why it is wrong and hat the right CA would be. – Steffen Ullrich Apr 16 '16 at 05:19
  • @SteffenUllrich ok, it's my turn to nitpick. I agree with you that a CA is something which can issue certificates. It is **not**, however, an alternative term for certificate. You won't help the OP by sending him out to get an authority when what he needs is a certificate issued by that authority. Franz, seriously, *just post the certificate*. They're not secret - you give them to everyone who makes an SSL connection to you. – MadHatter Apr 16 '16 at 05:26
  • @MadHatter: you are right. – Steffen Ullrich Apr 16 '16 at 05:35

0 Answers0