certificate verification error OpenSSL 1.1.1

Viktor Dukhovni openssl-users at dukhovni.org
Tue Mar 3 07:19:34 UTC 2020

On Mon, Mar 02, 2020 at 01:48:20PM +0530, shiva kumar wrote:

> when I tried to verify the the self signed certificate in OpenSSL 1.0.2 it
> is giving error 18 and gives OK as o/p, when I tried the same with OpenSSL
> 1.1.1 there is slight change in the behavior it also gives the same error,
> but instead of OK it gives different error as "*ca.crt: verification failed*"
> as follows.

The 1.1.1 behaviour is correct.  But you also don't seem to have a clear
idea of what it means to "verify" a self-signed certificate.  Indeed
most likely you don't actually want to verify it at all, and are really
trying to solve other problem, which you've decided involves verifying
the certificate in question.  So it is likely best to describe the
*actual* issue you're trying to solve.

However, that said:

> openssl verify ./ca.crt

This command verifies the certificate in question by trying to find in
the default store a chain of issuers leading up to a trust anchor
(typically a self-signed root CA).

But a self-signed certificate is self-issued, so unless it is itself
present in the trust store, no possible issuer can be found there.  So
verification must always fail, and so it does.

> why I'm getting this error?

Well ultimately because you don't know what you're trying to do, 
but specifically because the certificate is not issued by an
already trusted issuer.

> is this an expected behavior in OpenSSL 1.1.1?



More information about the openssl-users mailing list