Fix OpenSSL Error: Unable To Get Local Issuer Certificate

The aim of this little playbook🏁 is fixing

verify error:num=20:unable to get local issuer certificate

when running certificate chain verifications using OpenSSL with for example

▶ openssl s_client -connect google.com:443
CONNECTED(00000184)
depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1
verify error:num=20:unable to get local issuer certificate

If you don’t understand certificate chains, watch the explainer first. What’s behind the issue?

• OpenSSL cannot validate the chain OpenSSL itself comes without a list of Trusted Root Certificate Authorities (unlike browsers!)
• I.e., you need to install the CA/s as trusted
• You can do it either one-by-one by downloading a particular cert (with the help of a browser)
• Or (what I do), in bulk by downloading for example cacert.pem package from curl - Extract CA Certs from Mozilla
• Within OpenSSL itself there are 2 relevant command parameters:

1. CAfile → pointing to a single cert trusted as a Root CA
2. CApath → pointing to a folder with certs used as trusted Root CA

• For more, see the How to list certificates, trusted by OpenSSL? — Stack Overflow

1. steps for windows/PowerShell

1. download cacert.pem provided by curl - Extract CA Certs from Mozilla

Invoke-WebRequest https://curl.se/ca/cacert.pem -OutFile c:\cacert.pem

1. Run OpenAAL with the -CAfile flag containing the absolute path to the downloaded cacert.pem

▶ openssl s_client -connect google.com:443 -CAfile c:\cacert.pem
CONNECTED(00000184)
depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.google.com
verify return:1

2. sources

• curl — Extract CA Certs from Mozilla
• truststore — How to list certificates, trusted by OpenSSL? — Stack Overflow