Trying to connect to imap.google.com:993 with openssl.
1) downloaded CAfile in encoded DER format from . The file called GTS Root R1
2) converted this file into PEM format
openssl x509 -inform der -in GTSR1.crt -out googleRootCA.pem 3) connect to imap.gmail.com:993 and use this googleRootCA.pem file
openssl.exe s_client -connect imap.gmail.com:993 -CAfile ./googleRootCA.pem But openssl reports: Verify return code: 20 (unable to get local issuer certificate)
Why? Its an official root CA from google so it should work?! OS: Windows 10
31 Answer
Its an official root CA from google so it should work?!
It's an official google root, but it's not the correct one.
Look at all the output from openssl s_client:
openssl s_client -connect imap.gmail.com:993 -CAfile GTSR1.pem CONNECTED(00000094) depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1 verify error:num=20:unable to get local issuer certificate --- Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=imap.gmail.com i:/C=US/O=Google Trust Services/CN=GTS CA 1O1 1 s:/C=US/O=Google Trust Services/CN=GTS CA 1O1 i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign --- Server certificate [snipped -- irrelevant] --- No client certificate CA names sent Peer signing digest: SHA256 Server Temp Key: X25519, 253 bits --- SSL handshake has read 3216 bytes and written 261 bytes Verification error: unable to get local issuer certificate --- New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: [snipped except] Verify return code: 20 (unable to get local issuer certificate) --- Note the intermediate cert (numbered 1 in the chain display) has issuer (i:)
/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign That's the root labelled 'GS Root R2' (not GTS) in the webpage which links here, and using that file converted to PEM works:
openssl s_client -connect imap.gmail.com:993 -CAfile GSR2.pem -quiet depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign verify return:1 depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1 verify return:1 depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = imap.gmail.com verify return:1 * OK Gimap ready for requests from [redacted] Also, the openssl error tells you the intermediate (aka subordinate) CA used is GTS CA 1O1, and that same webpage shows that GTS CA 1O1 is under GS Root 2, not GTS Root 1.