Console9

OpenSSL: self-signed certificate in certificate chain

Diagnose and fix 'self-signed certificate in certificate chain' when OpenSSL encounters an untrusted self-signed CA during TLS verification.

OpenSSL produces "self-signed certificate in certificate chain" (verify error:num=19) when the certificate chain includes a CA certificate that is signed by itself and is not present in the system's trusted CA bundle.

When OpenSSL Produces This Error

OpenSSL displays this error during openssl s_client -connect when the server's certificate chain includes a self-signed root or intermediate CA that OpenSSL does not trust. This commonly occurs with internal corporate CAs, development environments, and private PKI infrastructure.

What Causes "self-signed certificate in certificate chain" in OpenSSL

The server's certificate chain includes a CA certificate that is its own issuer — a self-signed certificate. OpenSSL checks this certificate against the system CA bundle. If the self-signed CA is not in the bundle, OpenSSL rejects the entire chain.

Corporate environments that deploy their own Certificate Authority for internal services produce this error on machines that have not been configured to trust the corporate CA. Development environments using self-signed certificates generated with openssl req -x509 also trigger this error.

How to Fix "self-signed certificate in certificate chain" in OpenSSL

  1. Obtain the self-signed CA certificate from the organization's PKI administrator or extract it from the chain.

  2. Add the CA certificate to the system trust store:

=== "Ubuntu / Debian"

```bash
sudo cp corporate-ca.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
```

=== "CentOS / RHEL"

```bash
sudo cp corporate-ca.crt /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust
```
  1. Alternatively, pass the CA certificate directly to OpenSSL without modifying the system trust store:
openssl s_client -connect internal.example.com:443 -CAfile /path/to/corporate-ca.crt

How to Verify the Fix

OpenSSL returns verify code 0 after the CA is trusted:

openssl s_client -connect internal.example.com:443 </dev/null 2>/dev/null | grep "Verify return code"
Verify return code: 0 (ok)

OpenSSL: unable to get local issuer certificate— a missing intermediate, not a self-signed trust issue. For cURLconnections to servers with self-signed CAs, use curl --cacert corporate-ca.crt— see cURL SSL certificate problem.

© 2026 - Console9