unable to verify the first certificate

Leave a Comment / By /

To check the certificate and its chain 

# openssl s_client -showcerts -connect google.com:443
CONNECTED(000001E8)
depth=1 C = US, ST = CA, L = LG, O = "Websense, Inc.", OU = Websense Endpoint, emailAddress = support@websense.com, CN = Websense Public Primary Certificate Authority, description = 1547271623EP@websense.com
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
 0 s:/C=US/ST=California/L=Los Gatos/O=Websense, Inc./OU=Websense Triton Advance Protection Endpoint/CN=\x00*\x00.\x00g\x00o\x00o\x00g\x00l\x00e\x00.\x00c\x00o\x00m
   i:/C=US/ST=CA/L=LG/O=Websense, Inc./OU=Websense Endpoint/emailAddress=support@websense.com/CN=Websense Public Primary Certificate Authority/description=\x001\x005\x004\x007\x002\x007\x001\x006\x002\x003\x00E\x00P\x00@\x00w\x00e\x00b\x00s\x00e\x00n\x00s\x00e\x00.\x00c\x00o\x00m
-----BEGIN CERTIFICATE-----
MIIOaTCCDVGgAwIBAgITMDkzOTM3MzgyODEyNjkyNTk2MTANBgkqhkiG9w0BAQsF
ADCB9jELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMQswCQYDVQQHEwJMRzEXMBUG
A1UEChMOV2Vic2Vuc2UsIEluYy4xGjAYBgNVBAsTEVdlYnNlbnNlIEVuZHBvaW50
MSMwIQYJKoZIhvcNAQkBFhRzdXBwb3J0QHdlYnNlbnNlLmNvbTE2MDQGA1UEAxMt
V2Vic2Vuc2UgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MTsw
OQYDVQQNHjIAMQA1ADQANwAyADcAMQA2ADIAMwBFAFAAQAB3AGUAYgBzAGUAbgBz
AGUALgBjAG8AbTAeFw0yMzA5MTQxNzA2NThaFw0yNDA5MTMxNzA2NThaMIGoMQsw
CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAGA1UEBxMJTG9zIEdh
dG9zMRcwFQYDVQQKEw5XZWJzZW5zZSwgSW5jLjE0MDIGA1UECxMrV2Vic2Vuc2Ug
VHJpdG9uIEFkdmFuY2UgUHJvdGVjdGlvbiBFbmRwb2ludDEhMB8GA1UEAx4YACoA
LgBnAG8AbwBnAGwAZQAuAGMAbwBtMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA4CQw4moBuQ4TCQOOJTNRDCEVpXZmkhHJiq9JZvWuSE+mgzoAFA9YGa8v
jcaoOYGEKI2HeZ9dwU1Zxavs+t+EeJJUrm8ZgFOd8YwQmiGlHOGvbou51PQ04lDn
DFhoFY1Ix8+jcmQ0Rnulh42F8b1jUUMGl9mfvFlWoWxi9igBdBzPQ5TUGkU3ROmy
UcbJJ2qCFeri9MlY62QWkKYasiC684ymmx3dBMuAw/4GluePtOhawusj5KHQ8MXf
PqOisIHS6l1vPWdHFyClppbu1GYsxcLXJrTO/Bl5ClytxkD/c1BiBdC832RJgB+3
RquP46m044M1DKxd9A1ZTjDZM1n0YQIDAQABo4IKOjCCCjYwJwYDVR0lBCAwHgYI
KwYBBQUHAwIGCCsGAQUFBwMBBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBaAwHwYD
VR0jBBgwFoAUcdSffDkDmRw3MK3w0tXcEgw2TLMwCQYDVR0TBAIwADCCCc0GA1Ud
EQSCCcQwggnAgg0qLjJtZG4tY24ubmV0gg4qLmFkbW9iLWNuLmNvbYITKi5hbXBw
cm9qZWN0Lm5ldC5jboITKi5hbXBwcm9qZWN0Lm9yZy5jboINKi5hbmRyb2lkLmNv
bYIYKi5hcHAtbWVhc3VyZW1lbnQtY24uY29tghYqLmFwcGVuZ2luZS5nb29nbGUu
Y29tggkqLmJkbi5kZXaCEiouY2xvdWQuZ29vZ2xlLmNvbYIYKi5jcm93ZHNvdXJj
ZS5nb29nbGUuY29tghMqLmRhcnRzZWFyY2gtY24ubmV0ghgqLmRhdGFjb21wdXRl
Lmdvb2dsZS5jb22CFCouZG91YmxlY2xpY2stY24ubmV0ghAqLmRvdWJsZWNsaWNr
LmNughMqLmZsYXNoLmFuZHJvaWQuY29tghgqLmZscy5kb3VibGVjbGljay1jbi5u
ZXSCFCouZmxzLmRvdWJsZWNsaWNrLmNuggYqLmcuY26CBiouZy5jb4IWKi5nLmRv
dWJsZWNsaWNrLWNuLm5ldIISKi5nLmRvdWJsZWNsaWNrLmNugg4qLmdjcC5ndnQy
LmNvbYIRKi5nY3BjZG4uZ3Z0MS5jb22CCiouZ2dwaHQuY26CDiouZ2tlY25hcHBz
LmNughkqLmdvb2dsZS1hbmFseXRpY3MtY24uY29tghYqLmdvb2dsZS1hbmFseXRp
Y3MuY29tggsqLmdvb2dsZS5jYYILKi5nb29nbGUuY2yCDiouZ29vZ2xlLmNvLmlu
gg4qLmdvb2dsZS5jby5qcIIOKi5nb29nbGUuY28udWuCDCouZ29vZ2xlLmNvbYIP
Ki5nb29nbGUuY29tLmFygg8qLmdvb2dsZS5jb20uYXWCDyouZ29vZ2xlLmNvbS5i
coIPKi5nb29nbGUuY29tLmNvgg8qLmdvb2dsZS5jb20ubXiCDyouZ29vZ2xlLmNv
bS50coIPKi5nb29nbGUuY29tLnZuggsqLmdvb2dsZS5kZYILKi5nb29nbGUuZXOC
CyouZ29vZ2xlLmZyggsqLmdvb2dsZS5odYILKi5nb29nbGUuaXSCCyouZ29vZ2xl
Lm5sggsqLmdvb2dsZS5wbIILKi5nb29nbGUucHSCEiouZ29vZ2xlYWRhcGlzLmNv
bYIZKi5nb29nbGVhZHNlcnZpY2VzLWNuLmNvbYITKi5nb29nbGVhcGlzLWNuLmNv
bYIPKi5nb29nbGVhcGlzLmNughMqLmdvb2dsZWFwcHMtY24uY29tghEqLmdvb2ds
ZWNuYXBwcy5jboIUKi5nb29nbGVjb21tZXJjZS5jb22CFCouZ29vZ2xlZG93bmxv
YWRzLmNughYqLmdvb2dsZWZsaWdodHMtY24ubmV0ghcqLmdvb2dsZW9wdGltaXpl
LWNuLmNvbYIWKi5nb29nbGVzYW5kYm94LWNuLmNvbYIaKi5nb29nbGVzeW5kaWNh
dGlvbi1jbi5jb22CGSouZ29vZ2xldGFnbWFuYWdlci1jbi5jb22CGiouZ29vZ2xl
dGFnc2VydmljZXMtY24uY29tgh8qLmdvb2dsZXRyYXZlbGFkc2VydmljZXMtY24u
Y29tghMqLmdvb2dsZXZhZHMtY24uY29tghEqLmdvb2dsZXZpZGVvLmNvbYIQKi5n
c3RhdGljLWNuLmNvbYIMKi5nc3RhdGljLmNugg0qLmdzdGF0aWMuY29tgg0qLmd2
dDEtY24uY29tggoqLmd2dDEuY29tgg0qLmd2dDItY24uY29tggoqLmd2dDIuY29t
ghQqLm1ldHJpYy5nc3RhdGljLmNvbYIVKi5vcmlnaW4tdGVzdC5iZG4uZGV2ghIq
LnJlY2FwdGNoYS1jbi5uZXSCEioucmVjYXB0Y2hhLm5ldC5jboIkKi5zYWZlZnJh
bWUuZ29vZ2xlc3luZGljYXRpb24tY24uY29tgh4qLnNhZmVudXAuZ29vZ2xlc2Fu
ZGJveC1jbi5jb22CDCoudXJjaGluLmNvbYIQKi51cmwuZ29vZ2xlLmNvbYINKi53
aWRldmluZS5jboIWKi55b3V0dWJlLW5vY29va2llLmNvbYINKi55b3V0dWJlLmNv
bYIWKi55b3V0dWJlZWR1Y2F0aW9uLmNvbYIRKi55b3V0dWJla2lkcy5jb22CByou
eXQuYmWCCyoueXRpbWcuY29tggsybWRuLWNuLm5ldIIMYWRtb2ItY24uY29tghFh
bXBwcm9qZWN0Lm5ldC5jboIRYW1wcHJvamVjdC5vcmcuY26CGmFuZHJvaWQuY2xp
ZW50cy5nb29nbGUuY29tggthbmRyb2lkLmNvbYIWYXBwLW1lYXN1cmVtZW50LWNu
LmNvbYIRZGFydHNlYXJjaC1jbi5uZXSCG2RldmVsb3Blci5hbmRyb2lkLmdvb2ds
ZS5jboIcZGV2ZWxvcGVycy5hbmRyb2lkLmdvb2dsZS5jboISZG91YmxlY2xpY2st
Y24ubmV0gg5kb3VibGVjbGljay5jboIEZy5jboIEZy5jb4IIZ2dwaHQuY26CDGdr
ZWNuYXBwcy5jboIGZ29vLmdsghdnb29nbGUtYW5hbHl0aWNzLWNuLmNvbYIUZ29v
Z2xlLWFuYWx5dGljcy5jb22CCmdvb2dsZS5jb22CF2dvb2dsZWFkc2VydmljZXMt
Y24uY29tghFnb29nbGVhcGlzLWNuLmNvbYIRZ29vZ2xlYXBwcy1jbi5jb22CD2dv
b2dsZWNuYXBwcy5jboISZ29vZ2xlY29tbWVyY2UuY29tghJnb29nbGVkb3dubG9h
ZHMuY26CFGdvb2dsZWZsaWdodHMtY24ubmV0ghVnb29nbGVvcHRpbWl6ZS1jbi5j
b22CFGdvb2dsZXNhbmRib3gtY24uY29tghhnb29nbGVzeW5kaWNhdGlvbi1jbi5j
b22CF2dvb2dsZXRhZ21hbmFnZXItY24uY29tghhnb29nbGV0YWdzZXJ2aWNlcy1j
bi5jb22CHWdvb2dsZXRyYXZlbGFkc2VydmljZXMtY24uY29tghFnb29nbGV2YWRz
LWNuLmNvbYILZ3Z0MS1jbi5jb22CC2d2dDItY24uY29tghByZWNhcHRjaGEtY24u
bmV0ghByZWNhcHRjaGEubmV0LmNughhzb3VyY2UuYW5kcm9pZC5nb29nbGUuY26C
CnVyY2hpbi5jb22CC3dpZGV2aW5lLmNuggp3d3cuZ29vLmdsggh5b3V0dS5iZYIL
eW91dHViZS5jb22CFHlvdXR1YmVlZHVjYXRpb24uY29tgg95b3V0dWJla2lkcy5j
b22CBXl0LmJlMA0GCSqGSIb3DQEBCwUAA4IBAQBOl2wxbbR1YbjMBMtyhRLP3/MH
E+H+5I6Flms5dvmHhsJ+o6AS6ctAeyLMTA7lz0o2l1NCOXB2ZMU376CSfWgcqmsK
3eFT6UIXKshb/SDldWGp86INHeKZCiVodBjmXLf+ZjmKrzqmUEq0s4rsSPKH9zbA
vgm4m1nxrqeo5dgu61ue4GKat1sgk4ClE7noBubt6BEJxlP28EoyvCuIa5dVHiUJ
05+LMWk030E8nOP1yUu801HTc1kb7+HXVT0O0HqEVDqrb7xGERdhig0SxzS/qVdb
+E7Y0Ke+UfwGH3mRBzpA1gmP1VCRZolKv6U3ZUOR2aKsEIt1iDmOHxVAC/yj
-----END CERTIFICATE-----
 1 s:/C=US/ST=CA/L=LG/O=Websense, Inc./OU=Websense Endpoint/emailAddress=support@websense.com/CN=Websense Public Primary Certificate Authority/description=\x001\x005\x004\x007\x002\x007\x001\x006\x002\x003\x00E\x00P\x00@\x00w\x00e\x00b\x00s\x00e\x00n\x00s\x00e\x00.\x00c\x00o\x00m
   i:/C=US/ST=CA/L=LG/O=Websense, Inc./OU=Websense Endpoint/emailAddress=support@websense.com/CN=Websense Public Primary Certificate Authority/description=\x001\x005\x004\x007\x002\x007\x001\x006\x002\x003\x00E\x00P\x00@\x00w\x00e\x00b\x00s\x00e\x00n\x00s\x00e\x00.\x00c\x00o\x00m
-----BEGIN CERTIFICATE-----
MIIEwTCCA6mgAwIBAgIQYkH8hnDA+IlFva/MpJA8wzANBgkqhkiG9w0BAQsFADCB
9jELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMQswCQYDVQQHEwJMRzEXMBUGA1UE
ChMOV2Vic2Vuc2UsIEluYy4xGjAYBgNVBAsTEVdlYnNlbnNlIEVuZHBvaW50MSMw
IQYJKoZIhvcNAQkBFhRzdXBwb3J0QHdlYnNlbnNlLmNvbTE2MDQGA1UEAxMtV2Vi
c2Vuc2UgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MTswOQYD
VQQNHjIAMQA1ADQANwAyADcAMQA2ADIAMwBFAFAAQAB3AGUAYgBzAGUAbgBzAGUA
LgBjAG8AbTAeFw0yMjA2MTQxNjI1MTJaFw0yNzA2MjExMDU1MTJaMIH2MQswCQYD
VQQGEwJVUzELMAkGA1UECBMCQ0ExCzAJBgNVBAcTAkxHMRcwFQYDVQQKEw5XZWJz
ZW5zZSwgSW5jLjEaMBgGA1UECxMRV2Vic2Vuc2UgRW5kcG9pbnQxIzAhBgkqhkiG
9w0BCQEWFHN1cHBvcnRAd2Vic2Vuc2UuY29tMTYwNAYDVQQDEy1XZWJzZW5zZSBQ
dWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxOzA5BgNVBA0eMgAx
ADUANAA3ADIANwAxADYAMgAzAEUAUABAAHcAZQBiAHMAZQBuAHMAZQAuAGMAbwBt
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2EHY2+2PHw377TZQ6mZu
yd04XYWRF6b5Yas0JGz3g6mrrkxdqZn8AuR4mMmI9I7uw7ejWCgSn1YpFwpwyFgz
R+OO7Eaoz+7LJSukTeEqYkgIV3CDANXnE9aL9BI8tH6zgMTzewrQBQesVn+9V3jp
KvE/HqoVXLuTdkuP3Z5fGbnsvAPacs/lGhS3EeWmpzEs54W9TG+dykxdh/Xmw4Ws
9yQaGNO0ADYsdDeP/n9DV4QSLJBbWKvA+QSaEkkz/zWW7MZNlES93u+vovb6s06V
/lQdYyM5YlYv3qMNSyShM0Zvi+yBSoZKnmGAxwhy8sshgivOcd4w/GNHZ5ydBR6V
DQIDAQABo0kwRzAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBRx1J98OQOZHDcwrfDS
1dwSDDZMszAYBgNVHSAEETAPMA0GC2CGSAGG+EUBBwwGMA0GCSqGSIb3DQEBCwUA
A4IBAQBs27DBoIOhhWxONr33qpbt5/FS73YvubtJbSKIqfrQfVd3YuhPPVPIzB9n
zRNwju5aNUsfZNzpZXQZjMwSkxPX0ddxdTeILczT1Y8h8cpt+zgEpRb0Bh9klW8T
IiUjd1dwjKqxGSa65rR+5eW5Dsnl0FP4ZIyB6oFHNcKix2DMvBfk7G2YF+OfgXNN
CBfXSjGwvLHns5PqbOnLo7pmBPmifcmxH7DnrMffiV+hr6YlpckCTeYGa2E+kiS+
UE9s5tjPw8b+zUsQwEtW7bFhpRldRfsvn9rG+15JrVBQfjcC5W/asebMJ/eD7XUi
9ENepA66UcXOR8RS7J9l4Ztw6PG3
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=Los Gatos/O=Websense, Inc./OU=Websense Triton Advance Protection Endpoint/CN=\x00*\x00.\x00g\x00o\x00o\x00g\x00l\x00e\x00.\x00c\x00o\x00m
issuer=/C=US/ST=CA/L=LG/O=Websense, Inc./OU=Websense Endpoint/emailAddress=support@websense.com/CN=Websense Public Primary Certificate Authority/description=\x001\x005\x004\x007\x002\x007\x001\x006\x002\x003\x00E\x00P\x00@\x00w\x00e\x00b\x00s\x00e\x00n\x00s\x00e\x00.\x00c\x00o\x00m
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-384, 384 bits
---
SSL handshake has read 5437 bytes and written 334 bytes
Verification error: self signed certificate in certificate chain
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: A30500005BEA0CE956CC7FA809387D0E814B207F874BA5920ADD7C29405C94CE
    Session-ID-ctx:
    Master-Key: 58B7C07EB89BAEA9884F4C66DF59575C78DD66547C0ADF78B3233A8E79C78AACF30F818164F86E2634B931DD9DEC465D
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1695309702
    Timeout   : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
    Extended master secret: yes
---

You will get an error if you have an issue in the certificate chain

    Start Time: 1695309758
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: yes

You need to verify your chain using the below command

# openssl verify -CAfile gd-class2-root.crt -untrusted gd_intermediate.crt.pem lstar2024.pem
CN = *.lstar.in
error 20 at 0 depth lookup: unable to get local issuer certificate
error lstar2024.pem: verification failed

When the certificate chain is correct please use the below command to verify

# openssl verify -CAfile gdroot-g2.crt -untrusted gdig2.crt.pem lstar2024.pem
lstar2024.pem: OK

You can user this chain of certificates.

Leave a Comment

Your email address will not be published. Required fields are marked *

CAPTCHA * Time limit is exhausted. Please reload the CAPTCHA.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top