I am running Windows Vista and am attempting to connect via https to upload a file in a multi part form but I am having some trouble with the local issuer certificate. I am just trying to figure out why this isnt working now, and go back to my cURL code later after this is worked out. Im running the command:

openssl s_client -connect connect_to_site.com:443It gives me an digital certificate from VeriSign, Inc., but also shoots out an error:

Verify return code: 20 (unable to get local issuer certificate)What is the local issuer certificate? Is that a certificate from my own computer? Is there a way around this? I have tried using -CAfile mozilla.pem file but still gives me same error.

You are watching: Verify error num 20 unable to get local issuer certificate


I had the same problem and solved it by passing path to a directory where CA keys are stored. On Ubuntu it was:

openssl s_client -CApath /etc/ssl/certs/ -connect address.com:443


This error also happens if you"re using a self-signed certificate with a keyUsage missing the value keyCertSign.


Solution:You must explicitly add the parameter -CAfile your-ca-file.pem.

Note: I tried also param -CApath mentioned in another answers, but is does not works for me.

Explanation:Error unable to get local issuer certificate means, that the openssl does not know your root CA cert.

Note: If you have web server with more domains, do not forget to add also -servername your.domain.net parameter. This parameter will "Set TLS extension servername in ClientHello". Without this parameter, the response will always contain the default SSL cert (not certificate, that match to your domain).


Is your server configured for client authentication? If so you need to pass the client certificate while connecting with the server.


I had the same problem on OSX OpenSSL 1.0.1i from Macports, and also had to specify CApath as a workaround (and as mentioned in the Ubuntu bug report, even an invalid CApath will make openssl look in the default directory). Interestingly, connecting to the same server using PHP"s openssl functions (as used in PHPMailer 5) worked fine.

put your CA & root certificate in /usr/share/ca-certificate or /usr/local/share/ca-certificate.Then

dpkg-reconfigure ca-certificates

or even reinstall ca-certificate package with apt-get.

After doing this your certificate is collected into system"s DB:/etc/ssl/certs/ca-certificates.crt

Then everything should be fine.

With client authentication:

openssl s_client -cert ./client-cert.pem -key ./client-key.key -CApath /etc/ssl/certs/ -connect foo.example.com:443
Create the certificate chain file with the intermediate and root ca.

cat intermediate/certs/intermediate.cert.pem certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pemchmod 444 intermediate/certs/ca-chain.cert.pemThen verfify

openssl verify -CAfile intermediate/certs/ca-chain.cert.pem \ intermediate/certs/www.example.com.cert.pemwww.example.com.cert.pem: OKDeploy the certific

I faced the same issue, It got fixed after keeping issuer subject value in the certificate as it is as subject of issuer certificate.

so please check "issuer subject value in the certificate(cert.pem) == subject of issuer (CA.pem)"

openssl verify -CAfile CA.pem cert.pem cert.pem: OK

this error messages means thatCABundle is not given by (-CAfile ...) ORthe CABundle file is not closed by a self-signed root certificate.

Don"t worry. The connection to server will work even you get theis message from openssl s_client ... (assumed you dont take other mistake too)

Thanks for contributing an answer to Stack Overflow!

Please be sure to answer the question. Provide details and share your research!

But avoid

Asking for help, clarification, or responding to other answers.Making statements based on opinion; back them up with references or personal experience.

See more: Cher Lloyd Craig Monk - Cher Lloyd Husband Craig Monk

To learn more, see our tips on writing great answers.

Post Your Answer Discard

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

Not the answer you're looking for? Browse other questions tagged openssl or ask your own question.

Adding a new SSL certificate to solve Verify return code: 20 (unable to get local issuer certificate)?
site design / logo © 2021 Stack Exchange Inc; user contributions licensed under cc by-sa. rev2021.9.10.40187

Your privacy

By clicking “Accept all cookies”, you agree Stack Exchange can store cookies on your device and disclose information in accordance with our Cookie Policy.