What is 'trusted certificate'

Viktor Dukhovni openssl-users at dukhovni.org
Sat Jul 16 18:30:47 UTC 2022

On Sat, Jul 16, 2022 at 08:45:22AM +0200, David von Oheimb wrote:

> To me the below warnings looks strange because usually at depth 0 and 1
> of a cert chain (i.e., at the positions of the end entity cert and any
> subsequent intermediate cert) it is normal to have untrusted certs.
> Usually only at the end of the chain you have a trusted cert that
> represents the trust anchor for the chain.

The certificate in question appears to be issued by a private CA, so the
immediate issuer may well be the trust-anchor.  That said, yes, there is
not enough information in the OP's message to determine even whether
there is a problem, or what it might be.

> > I have freeradius server configured to use EAP-TLS (certificate
> > baset authn) Since some time I have warning in logs:
> > 
> > --8<---------------cut here---------------start------------->8---
> > Fri Jul 15 22:29:04 2022 : Warning: (TLS) untrusted certificate with
> > depth [1] subject name
> > /C=PL/ST=Mazowieckie/L=Warszawa/O=beta/OU=wifi/CN=beta-wifi-ca
> > Fri Jul 15 22:29:04 2022 : Warning: (TLS) untrusted certificate with
> > depth [0] subject name
> > /C=PL/ST=Mazowieckie/O=beta/OU=wifi/CN=salamandra
> > --8<---------------cut here---------------end--------------->8---
> > 
> > I took a look into code and it seems to be related to
> > "X509_STORE_CTX_get0_untrusted(ctx)" function.

That's almost certainlky a red herring.  It returns the list of non
helper certificates that are used to build a chain to the root of trust.
These are typically the certificates provided by the peer.  Trusted
certificates come from the local trust store (CAfile, CApath, ...).

> > I tried to search, but without success.  Can anyone tell me when
> > certificate is "trusted" in this context?  (How to get rid this
> > warning) or point to documentation/search keys

A trusted certificate is a typically self-signed CA certificate stored
in a file which is used to hold trusted certificates.


More information about the openssl-users mailing list