[openssl-dev] Cannot verify self-signed certificates?
Viktor Dukhovni
openssl-users at dukhovni.org
Tue Dec 15 20:34:08 UTC 2015
On Tue, Dec 15, 2015 at 08:04:45PM +0000, Blumenthal, Uri - 0553 - MITLL wrote:
> It appears that openssl verify refuses to deal with self-signed
> certificates?
You mean the command-line utility?
$ openssl x509 -in rootcert.pem -subject -issuer
subject= CN = Root CA
issuer= CN = Root CA
-----BEGIN CERTIFICATE-----
MIIBZDCCAQugAwIBAgIBATAKBggqhkjOPQQDAjASMRAwDgYDVQQDDAdSb290IENB
MCAXDTE1MTIxMzIzMTMwOFoYDzMwMTUwNDE1MjMxMzA4WjASMRAwDgYDVQQDDAdS
b290IENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0dpXj9GPuGRWsNkbVla9
1o1N29JQ4zdXESfHXgVg9B0K+Rv6+IBfgMKMAmoU1P6MMKlnO57AwFqEqoENE0G3
bKNQME4wHQYDVR0OBBYEFOS9QF8FKoIN35iD+T19P5Cq7HI/MB8GA1UdIwQYMBaA
FOS9QF8FKoIN35iD+T19P5Cq7HI/MAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwID
RwAwRAIgaGnmqp+bTUvzCAkaWnqyww42GbDXXlKIGUaOS7km9MkCIBfxuEWGEZZv
vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
-----END CERTIFICATE-----
$ openssl verify -CAfile rootcert.pem rootcert.pem
rootcert.pem: OK
> Here’s what I get:
>
> $ openssl verify -verbose -purpose sslclient -purpose smimesign test2.pem
>
> test2.pem: CN = test2, C = US
>
> error 20 at 0 depth lookup:unable to get local issuer certificate
No CAfile, no trust.
And your particular certificate has:
X509v3 Basic Constraints: critical
CA:FALSE
which does prevent it from verifying itself. The "CA:FALSE"
constraint is only really useful in certificates issued from a
different key. No security benefit in setin it in self-signed
certificates.
$ openssl x509 -text -noout <<EOF
-----BEGIN CERTIFICATE-----
MIIDEjCCAfqgAwIBAgIBATANBgkqhkiG9w0BAQsFADAdMQ4wDAYDVQQDDAV0ZXN0
MjELMAkGA1UEBhMCVVMwHhcNMTUxMjE1MTk1NjU4WhcNMTYxMjE0MTk1NjU4WjAd
MQ4wDAYDVQQDDAV0ZXN0MjELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQCxmo/YeUHwiyar+DyzoK/mqTEc3nhaGAjUMZ2fSm5TnEzi
zxMJE3ESYje0CIgzqwlVNSWF4OuESookYGacF9/R+eJn58FrnzODglasmDMLxUK8
kWGFTkIlSpL72ctVbZR9axJGGCTRDutCFzFMzadsnDXEMmoGAPLCSKrQ8DFdUymX
SUtzpKaNNlgoG2Wt95kQF7AsWy5EHBcuUJyAF/90HNA8bFhh9jvfXh1b35N9n6S8
2IkN26ROfazabcX/JRljxm4jgfKDzrwt/np3mEkrD9fesYiQtwgJfGyjjpZgEo49
ecZwREahe0omA8cg89NMuHY40RN6PNc7tIjQg9exAgMBAAGjXTBbMA8GA1UdEwEB
/wQFMAMBAQAwDgYDVR0PAQH/BAQDAgbAMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggr
BgEFBQcDAjAZBgNVHREEEjAQgQ50aWhzQGhvdXNlLmNvbTANBgkqhkiG9w0BAQsF
AAOCAQEABsCTzwM+HjvDQXCfPucSqcqvdxfJsUZNMRN9RZFka8GuMpBbxhIGdTLo
w8SOKRIIqzRdznCAKf4SPZ4y5nMyOQkHLGKIRcjMnZfnJkxjyj86eUxIBAVQP7lK
RcZkj+UdRE2eakED11jRoyFEAaXbYvqa/ZwCImOLIKSh2DW2hflvpX0sdfIX89KO
QVc9Ve9vAQanJtHjjs2xbn86V1J2Ffc4bcsMrk7dofrmoYwJVrNA4wzbrWDKHfjW
2NX2V2JBK8xnEDSTywtTuVf7oEZGGKY+1yMrgsqS22aC7sOUtUwqO/Gd0UsJiaMv
LhjJg2S3a2LFQk129WJrM1CM5XOCvw==
-----END CERTIFICATE-----
SAMECERT
) 3<<SAMECERT
-----BEGIN CERTIFICATE-----
MIIDEjCCAfqgAwIBAgIBATANBgkqhkiG9w0BAQsFADAdMQ4wDAYDVQQDDAV0ZXN0
MjELMAkGA1UEBhMCVVMwHhcNMTUxMjE1MTk1NjU4WhcNMTYxMjE0MTk1NjU4WjAd
MQ4wDAYDVQQDDAV0ZXN0MjELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQCxmo/YeUHwiyar+DyzoK/mqTEc3nhaGAjUMZ2fSm5TnEzi
zxMJE3ESYje0CIgzqwlVNSWF4OuESookYGacF9/R+eJn58FrnzODglasmDMLxUK8
kWGFTkIlSpL72ctVbZR9axJGGCTRDutCFzFMzadsnDXEMmoGAPLCSKrQ8DFdUymX
SUtzpKaNNlgoG2Wt95kQF7AsWy5EHBcuUJyAF/90HNA8bFhh9jvfXh1b35N9n6S8
2IkN26ROfazabcX/JRljxm4jgfKDzrwt/np3mEkrD9fesYiQtwgJfGyjjpZgEo49
ecZwREahe0omA8cg89NMuHY40RN6PNc7tIjQg9exAgMBAAGjXTBbMA8GA1UdEwEB
/wQFMAMBAQAwDgYDVR0PAQH/BAQDAgbAMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggr
BgEFBQcDAjAZBgNVHREEEjAQgQ50aWhzQGhvdXNlLmNvbTANBgkqhkiG9w0BAQsF
AAOCAQEABsCTzwM+HjvDQXCfPucSqcqvdxfJsUZNMRN9RZFka8GuMpBbxhIGdTLo
w8SOKRIIqzRdznCAKf4SPZ4y5nMyOQkHLGKIRcjMnZfnJkxjyj86eUxIBAVQP7lK
RcZkj+UdRE2eakED11jRoyFEAaXbYvqa/ZwCImOLIKSh2DW2hflvpX0sdfIX89KO
QVc9Ve9vAQanJtHjjs2xbn86V1J2Ffc4bcsMrk7dofrmoYwJVrNA4wzbrWDKHfjW
2NX2V2JBK8xnEDSTywtTuVf7oEZGGKY+1yMrgsqS22aC7sOUtUwqO/Gd0UsJiaMv
LhjJg2S3a2LFQk129WJrM1CM5XOCvw==
-----END CERTIFICATE-----
EOF
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=test2, C=US
Validity
Not Before: Dec 15 19:56:58 2015 GMT
Not After : Dec 14 19:56:58 2016 GMT
Subject: CN=test2, C=US
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b1:9a:8f:d8:79:41:f0:8b:26:ab:f8:3c:b3:a0:
af:e6:a9:31:1c:de:78:5a:18:08:d4:31:9d:9f:4a:
6e:53:9c:4c:e2:cf:13:09:13:71:12:62:37:b4:08:
88:33:ab:09:55:35:25:85:e0:eb:84:4a:8a:24:60:
66:9c:17:df:d1:f9:e2:67:e7:c1:6b:9f:33:83:82:
56:ac:98:33:0b:c5:42:bc:91:61:85:4e:42:25:4a:
92:fb:d9:cb:55:6d:94:7d:6b:12:46:18:24:d1:0e:
eb:42:17:31:4c:cd:a7:6c:9c:35:c4:32:6a:06:00:
f2:c2:48:aa:d0:f0:31:5d:53:29:97:49:4b:73:a4:
a6:8d:36:58:28:1b:65:ad:f7:99:10:17:b0:2c:5b:
2e:44:1c:17:2e:50:9c:80:17:ff:74:1c:d0:3c:6c:
58:61:f6:3b:df:5e:1d:5b:df:93:7d:9f:a4:bc:d8:
89:0d:db:a4:4e:7d:ac:da:6d:c5:ff:25:19:63:c6:
6e:23:81:f2:83:ce:bc:2d:fe:7a:77:98:49:2b:0f:
d7:de:b1:88:90:b7:08:09:7c:6c:a3:8e:96:60:12:
8e:3d:79:c6:70:44:46:a1:7b:4a:26:03:c7:20:f3:
d3:4c:b8:76:38:d1:13:7a:3c:d7:3b:b4:88:d0:83:
d7:b1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage: critical
Digital Signature, Non Repudiation
X509v3 Extended Key Usage:
E-mail Protection, TLS Web Client Authentication
X509v3 Subject Alternative Name:
email:tihs at house.com
Signature Algorithm: sha256WithRSAEncryption
06:c0:93:cf:03:3e:1e:3b:c3:41:70:9f:3e:e7:12:a9:ca:af:
77:17:c9:b1:46:4d:31:13:7d:45:91:64:6b:c1:ae:32:90:5b:
c6:12:06:75:32:e8:c3:c4:8e:29:12:08:ab:34:5d:ce:70:80:
29:fe:12:3d:9e:32:e6:73:32:39:09:07:2c:62:88:45:c8:cc:
9d:97:e7:26:4c:63:ca:3f:3a:79:4c:48:04:05:50:3f:b9:4a:
45:c6:64:8f:e5:1d:44:4d:9e:6a:41:03:d7:58:d1:a3:21:44:
01:a5:db:62:fa:9a:fd:9c:02:22:63:8b:20:a4:a1:d8:35:b6:
85:f9:6f:a5:7d:2c:75:f2:17:f3:d2:8e:41:57:3d:55:ef:6f:
01:06:a7:26:d1:e3:8e:cd:b1:6e:7f:3a:57:52:76:15:f7:38:
6d:cb:0c:ae:4e:dd:a1:fa:e6:a1:8c:09:56:b3:40:e3:0c:db:
ad:60:ca:1d:f8:d6:d8:d5:f6:57:62:41:2b:cc:67:10:34:93:
cb:0b:53:b9:57:fb:a0:46:46:18:a6:3e:d7:23:2b:82:ca:92:
db:66:82:ee:c3:94:b5:4c:2a:3b:f1:9d:d1:4b:09:89:a3:2f:
2e:18:c9:83:64:b7:6b:62:c5:42:4d:76:f5:62:6b:33:50:8c:
e5:73:82:bf
--
Viktor.
More information about the openssl-dev
mailing list