[openssl-dev] Cannot verify self-signed certificates?
Viktor Dukhovni
openssl-users at dukhovni.org
Tue Dec 15 22:51:13 UTC 2015
> On Dec 15, 2015, at 5:30 PM, Blumenthal, Uri - 0553 - MITLL <uri at ll.mit.edu> wrote:
>
> Also, in your next email you mention “openssl verify -partial_chain”.
> Alas, I don’t see this option:
>
> $ openssl version
> OpenSSL 1.0.2e 3 Dec 2015
> $ openssl verify --help
> usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose]
> [-crl_check] [-no_alt_chains] [-attime timestamp] [-engine e] cert1 cert2
> ...
> recognized usages:
> sslclient SSL client
> sslserver SSL server
> nssslserver Netscape SSL server
> smimesign S/MIME signing
> smimeencrypt S/MIME encryption
> crlsign CRL signing
> any Any Purpose
> ocsphelper OCSP helper
> timestampsign Time Stamp signing
That's fine, but have you tried it?
> $ man verify
>
> NAME
> verify - Utility to verify certificates.
>
>
> SYNOPSIS
> openssl verify [-CApath directory] [-CAfile file] [-purpose purpose] [-policy arg]
> [-ignore_critical] [-attime timestamp] [-check_ss_sig] [-crlfile file] [-crl_download]
> [-crl_check] [-crl_check_all] [-policy_check] [-explicit_policy] [-inhibit_any] [-inhibit_map]
> [-x509_strict] [-extended_crl] [-use_deltas] [-policy_print] [-no_alt_chains] [-untrusted
> file] [-help] [-issuer_checks] [-trusted file] [-verbose] [-] [certificates]
That's fine, but have you tried it? The option is documented in
1.1.0, and not 1.0.2, and yet it is available in both.
--
Viktor.
More information about the openssl-dev
mailing list