Why does OpenSSL report google's certificate is "self-signed"?
Michael Wojcik
Michael.Wojcik at microfocus.com
Thu Apr 1 14:21:43 UTC 2021
> From: openssl-users <openssl-users-bounces at openssl.org> On Behalf Of Mark
> Hack
> Sent: Thursday, 1 April, 2021 07:45
> To: openssl-users at openssl.org
> Subject: Re: Why does OpenSSL report google's certificate is "self-signed"?
>
> RFC6066
>
> Note that when a list of URLs for X.509 certificates is used, the
> ordering of URLs is the same as that used in the TLS Certificate
> message (see [RFC5246], Section 7.4.2), but opposite to the order in
> which certificates are encoded in PkiPath. In either case, the
> self-signed root certificate MAY be omitted from the chain, under the
> assumption that the server must already possess it in order to
> validate it.
Thanks! I thought I'd seen something about the question in some standard. Having seen this, I see that RFC 8446 (TLSv1.3) has essentially the same language: "a certificate that specifies a trust anchor MAY be omitted from the chain" (4.4.2). So servers are good either way.
--
Michael Wojcik
More information about the openssl-users
mailing list