Why does OpenSSL report google's certificate is "self-signed"?

Blumenthal, Uri - 0553 - MITLL uri at ll.mit.edu
Wed Mar 31 18:01:05 UTC 2021

For a Web GUI with the user at the console (e.g., a Web browser), it might be OK. 

For my needs (devices talking to each other over austere links), sending the root CA very is both useless and wasteful. One you factor in the sizes of Post-Quantum keys and signatures - you’ll start disliking this idea even more. 


> On Mar 31, 2021, at 13:49, Viktor Dukhovni <openssl-users at dukhovni.org> wrote:
>> On Mar 31, 2021, at 1:43 PM, Michael Wojcik <Michael.Wojcik at microfocus.com> wrote:
>> As far as I can see, neither PKIX (RFC 5280) nor the CA/BF Baseline Requirements say anything about the practice, though I may have missed something. I had a vague memory that some standard or "best practice" guideline somewhere said the server should send the chain up to but not including the root, but I don't know what that might have been.
> Inclusion of the self-signed root is harmless.  The only case that
> I know of where this is actually necessary is with DANE-TA(2) when
> the TLSA RRset has a hash of the trusted root cert or public key.
> -- 
>    Viktor.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5819 bytes
Desc: not available
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20210331/4e71bfc7/attachment-0001.bin>

More information about the openssl-users mailing list