Using openssl to Identify the Certificates Not Verified - Advanced SQL Engine - Teradata Database

Security Administration

Product
Advanced SQL Engine
Teradata Database
Release Number
17.10
Published
July 2021
Language
English (United States)
Last Update
2022-02-15
dita:mapPath
ppz1593203596223.ditamap
dita:ditavalPath
wrg1590696035526.ditaval
dita:id
B035-1100
lifecycle
previous
Product Category
Teradata Vantage™

When you encounter the verify error:num=20, you can use the openssl command to display the certificate chain. The output shows a chain that ends with an issuer for which there is no certificate, for example:

depth=1 /O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
verify error:num=20:unable to get local issuer certificate
verify return:0
CONNECTED(00000003)
---
Certificate chain
 0 s:/C=US/ST=California/L=El Segundo/O=Teradata/OU=Domain Controllers/CN=sussan140.td.teradata.com
   i:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
-----BEGIN CERTIFICATE-----
…snipped…
-----END CERTIFICATE-----
 1 s:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSig
    i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority-----BEGIN CERTIFICATE-----
…snipped…
-----END CERTIFICATE------
Server certificate
subject=/C=US/ST=California/L=El Segundo/O=Teradata/OU=Domain Controllers/CN=sussan140.td.teradata.com
issuer=/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
---
Acceptable client certificate CA names /C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority - G2/OU 
 =(c)1998 VeriSign,Inc.-For authorized use only/OU=VeriSign Trust Network 
 /C=US/O=VeriSign, Inc./OU=Class 4 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network 
 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority 
 /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority 
 /C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority 
 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network 
 /OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft Root Authority/DC=com/DC=microsoft/CN=Microsoft Root Certificate Authority---
SSL handshake has read 5299 bytes and written 312 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Compression: NONE
Expansion: NONE

The error occurs at a depth of 1, that is, one certificate down the certificate chain, openssl cannot verify the certificate. This error indicates that openssl could not find the issuer certificate or an acceptable client certificate.