I have a client-provided SSL cert that seems to be provided by Verisign but issued by my good friends at Network Problems. I thought this was part of default cert.pem, but maybe not. The docs on Verisign's site are... ahem... unhelpful. I have what I think is the correct CA chain for this cert, but still trying to determine what marketing terms overlap with what reality. But how is it to be tested? here is the info ( nj.pem contains the Certificate and the Private Key ) $ openssl verify nj.pem nj.pem: /C=US/postalCode=99999/ST=OH/L=Columbus/streetAddress=4111 XXXX Ave./O=XYZ Inc./OU=Secure Link SSL Pro/CN=xyz.foo.com error 20 at 0 depth lookup:unable to get local issuer certificate $ openssl x509 -noout -in nj.pem -issuer issuer= /C=US/O=Network Solutions L.L.C./CN=Network Solutions Certificate Authority So if append the correct CA certs to my nj.pem, then 'openssl verify' should be happy, is this correct? thanks!