0

I'm trying to complete a entire process of request/verify of a trusted timestamp. I'm working with a TSA server and i'm able to create a valid timestamp request. I know that it's valid because tsa owner has a webpage dedicated to the timestamping request validation. Anyway i have to do this process programmatically, so i'm using openssl to verify:

openssl ts -verify -queryfile request.tsq -in result.tsr -CAfile tsaownercert.pem

this command produce always:

TS_VERIFY_CERT:certificate verify error:unable to get local issuer certificate

I'm working local with Mamp but also online in a CentOs server the behaviour is the same.

  • Files involved in command are reachables.
  • tsaownercert.pem is a certificate i get from the tsa owner, they sayd "it is the certificate in wich the timestamp are signed"

Maybe i have to do some kind of installation of the certificate in the system to make it available ? How i can do it in Mamp and i how in the server ?

user31929
  • 101

1 Answers1

1

From OpenSSL's man page:

-CAfile trusted_certs.pem

The name of the file containing a set of trusted self-signed CA certificates in PEM format. See the similar option of verify(1) for additional details. Either this option or -CApath must be specified. (Optional)

-untrusted cert_file.pem

Set of additional untrusted certificates in PEM format which may be needed when building the certificate chain for the TSA's signing certificate. This file must contain the TSA signing certificate and all intermediate CA certificates unless the response includes them. (Optional)

Therefore -CAfile should point to the self-signed Root CA while all subordinate CAs including the TS signing certificate should be in he file pointed to by -untrusted if they are not in the original response (result.tsr).

garethTheRed
  • 4,539
  • 14
  • 22