Security Administration > SSL/TLS Protection Options
  
TLS: Unable to Get Local Issuer Certificate
This error occurs when you use a certificate signed by a third party (like VeriSign or Thawte) in the directory. In such cases, the directory server may not offer the complete certificate chain, prevents certificate verification.
Error Message Text
verify error:num=20:unable to get local issuer certificate
Example 1: Use openssl to Identify the Certificates Not Verified
When you encounter the verify error:num=20, you can use the openssl command to display the certificate chain. The output shows a chain that ends with an issuer for which there is no certificate, for example:
depth=1 /O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
verify error:num=20:unable to get local issuer certificate
verify return:0
CONNECTED(00000003)
---
Certificate chain
0 s:/C=US/ST=California/L=El Segundo/O=Teradata/OU=Domain Controllers/CN=sussan140.td.teradata.com
i:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
-----BEGIN CERTIFICATE-----
…snipped…
-----END CERTIFICATE-----
1 s:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSig
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
-----BEGIN CERTIFICATE-----
…snipped…
-----END CERTIFICATE------
Server certificate
subject=/C=US/ST=California/L=El Segundo/O=Teradata/OU=Domain Controllers/CN=sussan140.td.teradata.com
issuer=/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
---
Acceptable client certificate CA names/C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority - G2/OU
=(c)1998 VeriSign,Inc.-For authorized use only/OU=VeriSign Trust Network
/C=US/O=VeriSign, Inc./OU=Class 4 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
/C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority
/C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network
/OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft Root Authority/DC=com/DC=microsoft/CN=Microsoft Root Certificate Authority---
SSL handshake has read 5299 bytes and written 312 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
Explanation of Example 1
The error occurs at a depth of 1, that is, one certificate down the certificate chain, openssl cannot verify the certificate. This error indicates that openssl could not find the issuer certificate or an acceptable client certificate.
Corrective Action
Use the following procedure to provide the missing local issuer certificate.
1 Obtain the needed certificate.
2 Install the certificate. See “Installing the Certificate”.
3 Run the c_rehash utility. See “Creating Symlinks Using the Certlink Utility”.
Obtain the Needed Certificate
Typically, a certificate can be acquired from the site security administrator. For systems running Linux, with openssl installed, some or all of these certificates can be found in the /etc/ssl/certs directory. Do the following to obtain a certificate.
1 Go to the directory where certificates are stored, for example: /etc/ssl/certs.
2 List the files. The files look similar to:
dlopldap:~ # cd /etc/ssl/certs
dlopldap:/etc/ssl/certs # ls
1e49180d.0 7a9820c1.0 a3c60019.0 demo thawteCb.pem
2edf7016.0 843b6c51.0 aad3d04d.0 eng1.pem thawteCp.pem
56e607f4.0 878cf4c6.0 argena.pem eng2.pem vsign1.pem
594f1775.0 Equifax-root1.pem argeng.pem eng3.pem vsign3.pem
6adf0799.0 ICP-Brasil.pem c33a80d4.0 eng4.pem vsignss.pem
6f5d9899.0 RegTP-5R.pem cdd7aee7.0 eng5.pem wellsfgo.pem
714aceac.0 RegTP-6R.pem d4e39186.0 expired
7651b327.0 YaST-CA.pem ddc328ff.0 f73e89fd.0
dlopldap:/etc/ssl/certs # openssl x509 -inform pem -in vsign3.pem –subject
subject= /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
-----BEGIN CERTIFICATE----
MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG
A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz
cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2
MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV
BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt
YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE
BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is
I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G
CSqGSIb3DQEBAgUAA4GBALtMEivPLCYATxQT3ab7/AoRhIzzKBxnki98tsX63/Do
lbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59AhWM1pF+NEHJwZRDmJXNyc
AA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1k
-----END CERTIFICATE-----
dlopldap:/etc/ssl/certs #
Note: The files that end in a non-numeric suffix are certificate files. On this system, all certificates are stored in PEM format.
3 Use the openssl x509 command, with a -subject option, to examine the subject of each certificate. Run the openssl x509 -subject common to each of the .pem files until it finds a file containing a certificate with a subject that matches the missing certificate.
The subject shown in bold text in the step 2 example matches the subject of the missing certificate identified in the search shown in “Example 1: Use openssl to Identify the Certificates Not Verified”.