[openssl-dev] Cannot verify self-signed certificates?
Viktor Dukhovni
openssl-users at dukhovni.org
Tue Dec 15 21:36:13 UTC 2015
> On Dec 15, 2015, at 4:21 PM, Blumenthal, Uri - 0553 - MITLL <uri at ll.mit.edu> wrote:
>
>> And your particular certificate has:
>>
>> X509v3 Basic Constraints: critical
>> CA:FALSE
>>
>> which does prevent it from verifying itself. The "CA:FALSE"
>> constraint is only really useful in certificates issued from a
>> different key. No security benefit in setin it in self-signed
>> certificates.
>
> I see. So what you’re saying is if I want self-signed certs to be
> verifiable that way - they must not have that “non-CA” constraint. Makes
> sense.
Yes, that's what I'm saying.
> If I want to “partially” verify a certificate via the command-line utility
> - e.g. when I don’t have the issuing certificate at hand, is there a way
> to tell openssl tool to go just as far as it can *without* climbing up the
> cert chain? I understand and agree that it significantly reduces the value
> of the verification - but in some [of my use] cases it is sufficient. If
> it is not supported now - would it be possible to add such capability as
> an option?
What does "partially verify mean? Without the issuer's public key, you
can't check the signature, so all you can do is *parse* the certificate,
but you can't *verify* it. The "x509" utility parses certificates, what
do you want to do that goes beyond parsing, but stops short of checking
the issuer signature?
--
Viktor.
More information about the openssl-dev
mailing list