Why does OpenSSL report google's certificate is "self-signed"?

Viktor Dukhovni openssl-users at dukhovni.org
Wed Mar 31 16:30:53 UTC 2021

> On Mar 31, 2021, at 1:49 AM, Nan Xiao <xiaonan830818 at gmail.com> wrote:
> The connection is successful, but the ssl->verify_result is 18, i.e.,
> X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT. I am a little confused why
> OpenSSL reports google's certificate is "self-signed"? And it should
> be not. 

Most likely you haven't configured a suitable CAfile and/or CApath,
which contains the root CA that ultimately issued Google's certificate.

It looks like Google includes a self-signed root CA in the wire
certificate chain, and if no match is found in the trust store,
you'll get the reported error.


More information about the openssl-users mailing list