SSL Certificate Verification and Trust Issues¶

SSL Certificate Verification and Trust Issues occur when a client (such as a web browser or a tool like curl) cannot validate the identity of a server using the trusted certificates available on the local system.^[600-developer__tools__security__security-file-extension-name.md]

The Trust Model¶

Verification relies on the presence of a Root CA (Root Certificate Authority) public key.^[600-developer__tools__security__security-file-extension-name.md] These root certificates are pre-installed in operating systems (such as Windows) and form the "root of trust."^[600-developer__tools__security__security-file-extension-name.md] When a server presents a certificate, the client checks if it was issued by a CA that is recognized within this trusted store.^[600-developer__tools__security__security-file-extension-name.md]

In Windows, the centralized management of these trusted certificates is handled by the Certificate Manager.^[600-developer__tools__security__security-file-extension-name.md] This system stores the root certificates that allow the OS to verify the legitimacy of websites and services.^[600-developer__tools__security__security-file-extension-name.md]

Verification Failures¶

A common error encountered during verification failures is: (60) SSL Certificate Problem: Unable to Get Local Issuer Certificate.^[600-developer__tools__security__security-file-extension-name.md] This error specifically indicates that the client cannot locate the necessary Local Issuer Certificate to validate the chain.^[600-developer__tools__security__security-file-extension-name.md]

It is important to note that this is a trust issue, not necessarily a connectivity failure; the client cannot verify security, but the connection might still technically exist.^[600-developer__tools__security__security-file-extension-name.md]

Resolution Methods¶

Ignoring Verification¶

For troubleshooting, the verification step can be bypassed entirely.^[600-developer__tools__security__security-file-extension-name.md] In curl, this is done using the --insecure flag, which allows the connection to proceed without certificate validation.^[600-developer__tools__security__security-file-extension-name.md]

Specifying a Certificate Authority¶

To correctly resolve the issue, the client must be provided with the specific certificate to use for verification.^[600-developer__tools__security__security-file-extension-name.md] If the server's certificate (or the CA's certificate) has been saved to a file (e.g., localhost.crt), it can be explicitly passed to the client.^[600-developer__tools__security__security-file-extension-name.md]

For example, using curl with the --cacert parameter directs the client to trust the specific certificate file provided.^[600-developer__tools__security__security-file-extension-name.md]

curl https://localhost:5001/ --cacert localhost.crt

Sources¶

• 600-developer__tools__security__security-file-extension-name.md

Related Concepts¶

• [[PKCS#12]]
• OpenSSL
• [[Public Key Infrastructure]]
• [[Curl]]