[openssl-dev] Cannot verify self-signed certificates?

Nounou Dadoun nounou.dadoun at avigilon.com
Tue Dec 15 22:00:40 UTC 2015 

I have actually asked a variant on this question in the path, I would rephrase it as I have a certificate chain which doesn't go all the way back to a self-signed cert.  But I "trust" the highest certificate in the chain that I have; is there a way of telling openssl that once it hits this "trusted" certificate, it can stop and return the result.  As I recall, the answer was no .. N


Nou Dadoun
Senior Firmware Developer, Security Specialist


Office: 604.629.5182 ext 2632 
Support: 888.281.5182  |  avigilon.com
Follow Twitter  |  Follow LinkedIn


This email, including any files attached hereto (the “email”), contains privileged and confidential information and is only for the intended addressee(s). If this email has been sent to you in error, such sending does not constitute waiver of privilege and we request that you kindly delete the email and notify the sender. Any unauthorized use or disclosure of this email is prohibited. Avigilon and certain other trade names used herein are the registered and/or unregistered trademarks of Avigilon Corporation and/or its affiliates in Canada and other jurisdictions worldwide.



-----Original Message-----
From: openssl-dev [mailto:openssl-dev-bounces at openssl.org] On Behalf Of Viktor Dukhovni
Sent: Tuesday, December 15, 2015 1:36 PM
To: openssl-dev at openssl.org
Subject: Re: [openssl-dev] Cannot verify self-signed certificates?


> On Dec 15, 2015, at 4:21 PM, Blumenthal, Uri - 0553 - MITLL <uri at ll.mit.edu> wrote:
> 
>> And your particular certificate has:
>> 
>>           X509v3 Basic Constraints: critical
>>               CA:FALSE
>> 
>> which does prevent it from verifying itself.  The "CA:FALSE"
>> constraint is only really useful in certificates issued from a 
>> different key.  No security benefit in setin it in self-signed 
>> certificates.
> 
> I see. So what you’re saying is if I want self-signed certs to be 
> verifiable that way - they must not have that “non-CA” constraint. 
> Makes sense.

Yes, that's what I'm saying.

> If I want to “partially” verify a certificate via the command-line 
> utility
> - e.g. when I don’t have the issuing certificate at hand, is there a 
> way to tell openssl tool to go just as far as it can *without* 
> climbing up the cert chain? I understand and agree that it 
> significantly reduces the value of the verification - but in some [of 
> my use] cases it is sufficient. If it is not supported now - would it 
> be possible to add such capability as an option?

What does "partially verify mean?  Without the issuer's public key, you can't check the signature, so all you can do is *parse* the certificate, but you can't *verify* it.  The "x509" utility parses certificates, what do you want to do that goes beyond parsing, but stops short of checking the issuer signature?

-- 
	Viktor.



_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

More information about the openssl-dev mailing list