When attempting to verify google server's certificate chain using openssl, I am getting error.
Extract google's server and intermediate certificates:
$ echo | openssl s_client -showcerts -connect www.google.com:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/server_certs.crt
Extract google's root CA from jdk:
$ pwd
/cygdrive/c/Program Files/Java/jdk1.8.0_231/jre/lib/security
$ keytool -export -keystore cacerts -storepass changeit -alias 'globalsignr2ca [jdk]' -file /cygwin64/tmp/google_root.der
$ openssl x509 -in /tmp/google_root.der -out /tmp/google_root.pem -inform der
Also extracted google's root certificate from chrome browser to /tmp/google-chrome-root.pem. Doing a diff between chrome's root certificate and jdk extracted root certificate, there is no difference
$ diff /tmp/google_root.pem /tmp/google-chrome-root.pem
$ Based on this, I know, I am using the right root certificate.
Invoke openssl verify
$ openssl verify -CAfile /tmp/google_root.pem /tmp/server_certs.crt
C = US, ST = California, L = Mountain View, O = Google LLC, CN = www.google.com
error 20 at 0 depth lookup: unable to get local issuer certificate error /tmp/server_certs.crt: verification failed
I know verification through
$ openssl s_client -showcerts -servername www.google.com -connect www.google.com:443
is successful
CONNECTED(00000005) depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign verify return:1 depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1 verify return:1 depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = www.google.com verify return:1 and was expecting a similar successful result through the openssl verify command as well.
I am doing this exercise in windows 10 and cygwin.
openssl verifytakes only one cert (NOT a chain) from the (or each) operand file; dupe security.stackexchange.com/questions/163577/… and cross unix.stackexchange.com/questions/354195/… and stackoverflow.com/questions/44375300/… (all findable by searching "unable to get local issuer" BTW).