error 20 at 0 depth lookup:unable to get local issuer certificate

error 20 at 0 depth lookup:unable to get local issuer certificate

This particular error occurs due to the certificate is expired we need to renew the certificate by removing the old one and Create the new certificate and attached to the web server or wallet

Step 1

Check the certificate by verify command

[oracle@fahtestdb Fa_Ca]$ openssl verify <domainname>.com.pem

<domain_name>.com.pem: /CN=*.<domain_name>.com/OU=oic/O=oic_it/L=Dubai/ST=Dubai/C=AE

error 20 at 0 depth lookup:unable to get local issuer certificate 

Step2

Check the certificate is valid or expired

[oracle@fahtestdb Fa_Ca]$ openssl x509 -noout -text -in <domain_name>.com.pem

Certificate:

    Data:

        Version: 1 (0x0)

        Serial Number:

            d7:79:73:18:59:89:db:71

        Signature Algorithm: sha1WithRSAEncryption

        Issuer: C=AE, ST=Dubai, L=Dubai, O=<cmpany_name>, OU=< organization unit>                                                                                          , CN=RootCa/emailAddress=palaneandavar@gmail.com

        Validity

            Not Before: Aug 22 09:30:17 2012 GMT

            Not After : Sep 21 09:30:17 2012 GMT

        Subject: CN=*.<domain_name>.com, OU=oic, O=oic_it, L=Dubai, ST=Dubai, C=AE

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

            RSA Public Key: (1024 bit)

                Modulus (1024 bit):

                    00:d0:cc:54:f9:aa:da:88:4e:22:4a:0d:c3:71:92:

                    96:57:b5:27:c0:13:a3:f6:ac:d2:16:fc:fd:68:49:

                    92:d8:59:0d:87:bc:27:d4:31:91:df:ac:b4:62:6d:

                    d8:37:cf:c4:e0:08:38:96:0a:eb:92:49:78:9e:41:

                    79:c5:74:fe:d4:a5:82:e3:a2:17:10:4e:c0:41:f5:

                    bf:99:0f:1a:ac:d9:e6:a9:ab:f2:0c:f2:78:25:ef:

                    08:a0:37:ba:51:64:53:ae:02:13:cd:a7:bb:3b:71:

                    ee:27:9c:c6:1e:77:a7:82:75:0e:2e:57:f4:d0:31:

                    9f:a3:67:51:e6:c1:27:0a:1f

                Exponent: 65537 (0x10001)

    Signature Algorithm: sha1WithRSAEncryption

        95:93:db:b3:2f:f4:43:54:91:a2:9d:ec:e9:ff:7d:b5:2f:27:

        8b:45:8c:1e:c7:88:ee:66:16:01:98:0e:09:3a:d4:6c:37:e8:

        e6:97:48:6b:69:a0:47:ca:54:dc:40:45:db:00:93:b2:db:40:

        85:cb:f3:4c:e3:e4:33:aa:8e:6e

 

The certificate will be showing the output as same as above and check the expired date from the out put.. if not after date is less than the current date then the certificate is expired we need to create the new certificate and replace it

Step 3

Creating new certificate

openssl x509 -req -in <domain_name>.req -CA fa_root_cert.pem -CAkey  / fa_privkey.pem CAcreateserial -out  *.<domain_name>.pem

req -in here we need to provide the request file which is generate for requesting the user certificate

-CA we need to provide the root ca certificate which is created[certificate authority to sign this user certificate]

-CAKey  private key generated for this ertificate

-CAcreateserial -out the output file the user certificate 

it you have Multiple sites under one domain then you can use the wildcard[*] in the certificate Creation which accepts all the sites under the same domain

Step 4

Remove the old certificate from the location and replace the newly created certificate