certificate verification error OpenSSL 1.1.1

Jakob Bohm jb-openssl at wisemo.com
Tue Mar 3 09:38:01 UTC 2020

On 2020-03-03 08:19, Viktor Dukhovni wrote:
> On Mon, Mar 02, 2020 at 01:48:20PM +0530, shiva kumar wrote:
>> when I tried to verify the the self signed certificate in OpenSSL 1.0.2 it
>> is giving error 18 and gives OK as o/p, when I tried the same with OpenSSL
>> 1.1.1 there is slight change in the behavior it also gives the same error,
>> but instead of OK it gives different error as "*ca.crt: verification failed*"
>> as follows.
> The 1.1.1 behaviour is correct.  But you also don't seem to have a clear
> idea of what it means to "verify" a self-signed certificate.  Indeed
> most likely you don't actually want to verify it at all, and are really
> trying to solve other problem, which you've decided involves verifying
> the certificate in question.  So it is likely best to describe the
> *actual* issue you're trying to solve.
Depends heavily if you formally interpret a self-signed and self-issued
end cert as a CA issuing itself (thus requiring CA:TRUE and making it
invalid as an end cert) or as an end cert with no separate CA chain
(thus requiring CA:FALSE and making it not trusted as a CA for any other

Either way, the typical case is to use such a self-signed and self-issued
cert in the various OpenSSL supported protocols (SSL, TLS, CMS etc.)
> However, that said:
>> openssl verify ./ca.crt
> This command verifies the certificate in question by trying to find in
> the default store a chain of issuers leading up to a trust anchor
> (typically a self-signed root CA).
> But a self-signed certificate is self-issued, so unless it is itself
> present in the trust store, no possible issuer can be found there.  So
> verification must always fail, and so it does.
>> why I'm getting this error?
> Well ultimately because you don't know what you're trying to do,
> but specifically because the certificate is not issued by an
> already trusted issuer.
>> is this an expected behavior in OpenSSL 1.1.1?
> Yes.

Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list