Is curl the good tool

Michael Wojcik Michael.Wojcik at
Wed Apr 26 19:34:10 UTC 2023

> From: openssl-users <openssl-users-bounces at> On Behalf Of Jean Brico
> Sent: Wednesday, 26 April, 2023 02:11

> My CA and my certificates are self-signed (it's for tests, I don't want to use real certificates).

CA root certificates are self-signed by definition (that's what a "root" certificate is). Certificates issued by a CA are not self-signed, also by definition (that's what it means to be "issued"). So I assume what you mean here is that you have your own CA, not that you're using self-signed entity certificates.

> But under Debian 11, I've some problems: under Chrome, IE, Edge or Firefox on Windows 10
> customer, the results are weird.

"Weird" is not a useful description.

How is this "customer" system configured for your CA? Did you have them install your root and any intermediates as trusted CA certificates? It's really not clear what you're doing here.

> And if I modify Apache conf to have customer identification, it's even worse.

I have no idea what you mean by "customer identification" here.

> My question: if curl is working fine, can'I conclude my Apache configuration and my certificates are fine ?

If you didn't build curl yourself, there's no easy way to know what options were used when compiling it; but I believe by default it does not attempt to validate the peer's certificate chain. You have to use options such as --cacert or --capath to do basic validation, --crlfile to check against a CRL, --cert-status to check OCSP stapling if the peer provides it, and so on.

It's much like openssl s_client: You can use it to do PKIX validation, but it's not automatic. You have to understand what you're doing.

> So the problem is on Chrome, IE, Edge or Firefox on Windows 10 customer, because I use self-certificates 

It's really not clear *what* you're doing. Supplying copies of your certificates would help.

Michael Wojcik
Distinguished Engineer, AMC

More information about the openssl-users mailing list