16.10 - Using openssl to Identify the Certificates Not Verified - Teradata Database

Teradata Database Security Administration

prodname
Teradata Database
vrm_release
16.10
created_date
June 2017
category
Administration
Security
featnum
B035-1100-161K

When you encounter the verify error:num=20, you can use the openssl command to display the certificate chain. The output shows a chain that ends with an issuer for which there is no certificate, for example:

depth=1 /O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
verify error:num=20:unable to get local issuer certificate
verify return:0
CONNECTED(00000003)
---
Certificate chain
 0 s:/C=US/ST=California/L=El Segundo/O=Teradata/OU=Domain Controllers/CN=sussan140.td.teradata.com
   i:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
-----BEGIN CERTIFICATE-----
…snipped…
-----END CERTIFICATE-----
 1 s:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSig
    i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority-----BEGIN CERTIFICATE-----
…snipped…
-----END CERTIFICATE------
Server certificate
subject=/C=US/ST=California/L=El Segundo/O=Teradata/OU=Domain Controllers/CN=sussan140.td.teradata.com
issuer=/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
---
Acceptable client certificate CA names /C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority - G2/OU 
 =(c)1998 VeriSign,Inc.-For authorized use only/OU=VeriSign Trust Network 
 /C=US/O=VeriSign, Inc./OU=Class 4 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network 
 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority 
 /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority 
 /C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority 
 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network 
 /OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft Root Authority/DC=com/DC=microsoft/CN=Microsoft Root Certificate Authority---
SSL handshake has read 5299 bytes and written 312 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Compression: NONE
Expansion: NONE

The error occurs at a depth of 1, that is, one certificate down the certificate chain, openssl cannot verify the certificate. This error indicates that openssl could not find the issuer certificate or an acceptable client certificate.