Open in app

Sign in

Write

Sign in

SSL Error: Unable to verify the first certificate on Postman

Danang Priabada
4 min readAug 14, 2024

--

This is how you can solve the issue.

Retrieve the Certificate Chain from the Server

You can retrieve the certificate chain from the server using the following OpenSSL command:

openssl s_client -connect api.bankabc.co.id:443 -showcerts

The important part is the issuer should be valid

issuer=C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
C:\Users\danang.priabada>openssl s_client -connect api.bankabc.co.id:443 -showcerts
CONNECTED(000001D0)
depth=0 C = ID, ST = Censored, L = Censored, O = Censored, CN = *.bankabc.co.id
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = ID, ST = Censored, L = Censored, O = Censored, CN = *.bankabc.co.id
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 C = ID, ST = Censored, L = Censored, O = Censored, CN = *.bankabc.co.id
verify return:1
---
Certificate chain
 0 s:C = ID, ST = Censored, L = Censored, O = Censored, CN = *.bankabc.co.id
   i:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Mar 21 07:36:15 2024 GMT; NotAfter: Apr 22 07:36:15 2025 GMT
-----BEGIN CERTIFICATE-----
<Censored>
-----END CERTIFICATE-----
---
Server certificate
subject=C = ID, ST = Censored, L = Censored, O = Censored, CN = *.bankabc.co.id
issuer=C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
---
read R BLOCK
closed

Accest to the repository website : http://certs.godaddy.com/repository/

Download these two certificate :

  • GoDaddy Class 2 Certification Authority Root Certificate — G2
  • GoDaddy Secure Server Certificate (Intermediate Certificate) — G2

Keep the .crt and .pem that you download, we will need these two certificates to construct proper chain certificate.

Save the Certificates

Back to the openssl, you can save the output of the openssl s_client command to a file to examine each certificate in the chain. For example:

openssl s_client -connect api.bankabc.co.id:443 -showcerts > cert_chain.txt

You can then open the cert_chain.txt file and extract each certificate into its own file if needed.

Verify the Certificate Chain

In this step you must provide the valid CA Bundle that used by the target server.

To verify the certificate chain, use the following command:

openssl verify -CAfile <path_to_CA_bundle> <path_to_server_certificate>

For example:

C:\Users\danang.priabada>openssl verify -CAfile "D:\Certificate\CA\gd_bundle-g2-g1.crt" C:\Users\danang.priabada\cert_chain.pem
C:\Users\danang.priabada\cert_chain.pem: OK

If the certificate is valid and the chain is correct, OpenSSL will return:

cert_chain.pem: OK

If there are issues with the chain or the certificate, OpenSSL will return an error indicating what went wrong.

Construct the proper Certificate Chain

The Certificate Chain is consisting by several certificate

Server Certificate (Leaf Certificate)

  • Purpose: This is the certificate issued to the domain (e.g., example.com). It contains the public key of the server and is used to establish an encrypted connection.
  • Position: It’s the first certificate in the chain when presented by the server.

Intermediate Certificate(s)

  • Purpose: These certificates are issued by the root CA or another intermediate CA. They act as a bridge between the root certificate and the server certificate.
  • Position: Intermediate certificates are placed between the server certificate and the root certificate in the chain. There can be one or more intermediate certificates, depending on the CA structure.

Root Certificate

  • Purpose: The root certificate is issued by a trusted Certificate Authority (CA) and is self-signed. It is the anchor of trust in the chain. All certificates in the chain ultimately lead back to this root certificate.
  • Position: The root certificate is at the top of the chain, although it is typically not sent by the server during the SSL handshake because it is already trusted by the client’s system or application.

The Proper Certificate Chain will be look like this

-----BEGIN CERTIFICATE-----
<Server Certificate> in this case Certificate chain that you got from "openssl s_client -connect api.bankabc.co.id:443 -showcerts"
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<Intermediate Certificate(s)> in this case "GoDaddy Secure Server Certificate (Intermediate Certificate) - G2"
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<Root Certificate> in this case "GoDaddy Class 2 Certification Authority Root Certificate - G2"
-----END CERTIFICATE-----

Save with .pem extension for proper certificate

Simple Way to Get Certificate Chain

Just open your target URL on Firefox Browser, then download the PEM (chain) from it.

Enable The Certificate Verification

This is how to solve this issue ”SSL Error: Unable to verify the first certificate” on the postman

Settings -> Certificate (Load your cert_chain.pem)

Setting -> General (Then enable the SSL certificate verification)

--

--

Danang Priabada
Danang Priabada

Written by Danang Priabada

13 Followers
62 Following

Red Hat and IBM Product Specialist | JPN : プリアバダ ダナン | CHN : 逹男 | linktr.ee/danangpriabada

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams