Why does OpenSSL report google's certificate is "self-signed"?

Viktor Dukhovni openssl-users at dukhovni.org
Wed Mar 31 17:48:40 UTC 2021

> On Mar 31, 2021, at 1:43 PM, Michael Wojcik <Michael.Wojcik at microfocus.com> wrote:
> As far as I can see, neither PKIX (RFC 5280) nor the CA/BF Baseline Requirements say anything about the practice, though I may have missed something. I had a vague memory that some standard or "best practice" guideline somewhere said the server should send the chain up to but not including the root, but I don't know what that might have been.

Inclusion of the self-signed root is harmless.  The only case that
I know of where this is actually necessary is with DANE-TA(2) when
the TLSA RRset has a hash of the trusted root cert or public key.


More information about the openssl-users mailing list