[openssl-users] Self-signed error when using SSL_CTX_load_verify_locations CApath

Michael Wojcik Michael.Wojcik at microfocus.com
Fri Nov 30 23:55:49 UTC 2018

> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf
> Of Viktor Dukhovni
> Sent: Friday, November 30, 2018 16:35
> > On Nov 30, 2018, at 5:00 PM, Charles Mills <charlesm at mcn.org> wrote:
> >
> > "Self-signed certificate in certificate chain" does not to me convey "No
> > certificate hash links" (or "CA certificate not found in hash links").
> That's not really possible, because the code that's doing certificate
> validation works with an abstract certificate store API, and does not
> know whether a particular certificate should or should not have been
> listed a trust-anchor in some store.
> All we know is that we've reached a self-signed certificate in the
> chain (so no further issuers can be found) and it is not in any
> of the trust stores, so verification fails.
> Perhaps we could document the errors in a bit more depth, but I don't
> think it is possible to tell you that your CApath was missing some
> specific symlink.

Viktor's points are all good ones, but considering how often this particular message causes confusion for users and developers (at least in my experience), I wonder whether changing the text to "Untrusted self-signed certificate in certificate chain" would help. That would suggest to the user that the problem might be an issue with the trust store.

Michael Wojcik
Distinguished Engineer, Micro Focus

More information about the openssl-users mailing list