As documented, the self-signature checks on self-signed certs are by default skipped. If your trust store can be modified by untrusted actors, self-signature checks won't help you. If you want to check the self-signature, pass the "-check_ss_sig" option. -- Viktor.