[openssl-dev] Cannot verify self-signed certificates?
Blumenthal, Uri - 0553 - MITLL
uri at ll.mit.edu
Tue Dec 15 21:21:52 UTC 2015
On 12/15/15, 15:34 , "openssl-dev on behalf of Viktor Dukhovni"
<openssl-dev-bounces at openssl.org on behalf of openssl-users at dukhovni.org>
wrote:
>On Tue, Dec 15, 2015 at 08:04:45PM +0000, Blumenthal, Uri - 0553 - MITLL
>wrote:
>> It appears that openssl verify refuses to deal with self-signed
>> certificates?
>
>You mean the command-line utility?
Yes.
>>$ openssl verify -verbose -purpose sslclient -purpose smimesign test2.pem
>>
>> test2.pem: CN = test2, C = US
>>
>> error 20 at 0 depth lookup:unable to get local issuer certificate
>
>No CAfile, no trust.
>
>And your particular certificate has:
>
> X509v3 Basic Constraints: critical
> CA:FALSE
>
>which does prevent it from verifying itself. The "CA:FALSE"
>constraint is only really useful in certificates issued from a
>different key. No security benefit in setin it in self-signed
>certificates.
I see. So what you’re saying is if I want self-signed certs to be
verifiable that way - they must not have that “non-CA” constraint. Makes
sense.
If I want to “partially” verify a certificate via the command-line utility
- e.g. when I don’t have the issuing certificate at hand, is there a way
to tell openssl tool to go just as far as it can *without* climbing up the
cert chain? I understand and agree that it significantly reduces the value
of the verification - but in some [of my use] cases it is sufficient. If
it is not supported now - would it be possible to add such capability as
an option?
Thanks!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4308 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20151215/7dbf0587/attachment.bin>
More information about the openssl-dev
mailing list