[openssl-dev] Cannot verify self-signed certificates?
Blumenthal, Uri - 0553 - MITLL
uri at ll.mit.edu
Tue Dec 15 22:30:33 UTC 2015
>>If I want to “partially” verify a certificate via the command-line
>>utility
>> - e.g. when I don’t have the issuing certificate at hand, is there a way
>> to tell openssl tool to go just as far as it can *without* climbing up
>>the
>> cert chain? I understand and agree that it significantly reduces the
>>value
>> of the verification - but in some [of my use] cases it is sufficient. If
>> it is not supported now - would it be possible to add such capability as
>> an option?
>
>What does "partially verify mean? Without the issuer's public key, you
>can't check the signature, so all you can do is *parse* the certificate,
>but you can't *verify* it.
Yes, you’re 100% correct.
By “partially verify” I mean “check for (in)consistencies”, malformed
attributes, extensions disagreeing with “-purpose”, etc.
Also, I may not have *all* of the chain available - in which case I’d like
this command-line tool to stop at the last *available* certificate of the
verification chain, telling me whether the check was OK or not *within the
available chain*.
>The "x509" utility parses certificates, what do you want to do that goes
>beyond parsing, but stops short of checking
>the issuer signature?
As I said above - match of the extensions to “-purpose”, for one thing…
“x509” just parses. But I guess you’re correct - if I don’t have the chain
to verify signatures, eyeballing the extensions printed with “-text
-noout" would in the end give the same result. Having a tool doing it for
me would be more convenient, but I see your point.
Also, in your next email you mention “openssl verify -partial_chain”.
Alas, I don’t see this option:
$ openssl version
OpenSSL 1.0.2e 3 Dec 2015
$ openssl verify --help
usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose]
[-crl_check] [-no_alt_chains] [-attime timestamp] [-engine e] cert1 cert2
...
recognized usages:
sslclient SSL client
sslserver SSL server
nssslserver Netscape SSL server
smimesign S/MIME signing
smimeencrypt S/MIME encryption
crlsign CRL signing
any Any Purpose
ocsphelper OCSP helper
timestampsign Time Stamp signing
$ man verify
NAME
verify - Utility to verify certificates.
SYNOPSIS
openssl verify [-CApath directory] [-CAfile file] [-purpose
purpose] [-policy arg]
[-ignore_critical] [-attime timestamp] [-check_ss_sig] [-crlfile
file] [-crl_download]
[-crl_check] [-crl_check_all] [-policy_check] [-explicit_policy]
[-inhibit_any] [-inhibit_map]
[-x509_strict] [-extended_crl] [-use_deltas] [-policy_print]
[-no_alt_chains] [-untrusted
file] [-help] [-issuer_checks] [-trusted file] [-verbose] [-]
[certificates]
DESCRIPTION
The verify command verifies certificate chains.
Thanks!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4308 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20151215/3a989136/attachment-0001.bin>
More information about the openssl-dev
mailing list