Misunderstanding openssl verify

Ken Goldman kgoldman at us.ibm.com
Mon Aug 16 13:41:44 UTC 2021

It doesn't seem to be verifying the signature on the certificate
parameter.  Version 1.1.1k.

I create an incorrectly signed self signed certificate and convert it from
der to pem.

A basic

	openssl verify -CAfile c1.pem c1.pem

Returns OK, even though the signature is bad.  Why?

Editing the der to change the after date, the public key, or the
signature still returns OK.  Why?

Editing the der to change the issuer causes a failure.

Adding -check_ss_sig correctly causes a signature failure.

It seems as though the 'verify' command checks the issuer,
but not the signature of the certificate - the last parameter.

More information about the openssl-users mailing list