Why do I get Verify error:unable to get local issuer certificate when I run openssl ocsp?

Question

I'm trying to validate a client certificate on an OCSP server but it fails.

This is the command that I'm trying to run:

openssl ocsp -issuer test_ca_cert.pem -cert my_test_client_cert.pem -text -url http://demo.server.com/ocsp

This is the output:

OCSP Request Data:
...
OCSP Response Data:
....
Certificate:
...
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
Response Verify Failure
140530622551704:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:ocsp_vfy.c:138:Verify error:unable to get local issuer certificate
my_test_client_cert.pem: good
    This Update: Jan 17 15:56:46 2017 GMT

I checked that the Issuer in my client cert is the same as the one in test_ca_cert.pem.

What am I doing wrong? How can I fix this?

Thank you

Answer 1

Using -CAfile as @pedrofb suggested worked for me, but neither with the root nor with the intermediate certificate, but with the root and the intermediate bundled together (i.e. cat root.pem intermediate.pem > bundle.pem):

openssl ocsp                              \
    -CAfile root.cert.pem                 \
    -issuer intermediate.cert.pem         \
    -cert server.cert.pem                 \
    -text                                 \    
    -url http://ocsp.example.com