Why does OpenSSL report google's certificate is "self-signed"?

Michael Wojcik Michael.Wojcik at microfocus.com
Thu Apr 1 14:21:43 UTC 2021


> From: openssl-users <openssl-users-bounces at openssl.org> On Behalf Of Mark
> Hack
> Sent: Thursday, 1 April, 2021 07:45
> To: openssl-users at openssl.org
> Subject: Re: Why does OpenSSL report google's certificate is "self-signed"?
>
> RFC6066
>
>    Note that when a list of URLs for X.509 certificates is used, the
>    ordering of URLs is the same as that used in the TLS Certificate
>    message (see [RFC5246], Section 7.4.2), but opposite to the order in
>    which certificates are encoded in PkiPath.  In either case, the
> self-signed root certificate MAY be omitted from the chain, under the
>    assumption that the server must already possess it in order to
>    validate it.

Thanks! I thought I'd seen something about the question in some standard. Having seen this, I see that RFC 8446 (TLSv1.3) has essentially the same language: "a certificate that specifies a trust anchor MAY be omitted from the chain" (4.4.2). So servers are good either way.

--
Michael Wojcik


More information about the openssl-users mailing list