On 12/15/15, 15:34 , "openssl-dev on behalf of Viktor Dukhovni" <openssl-dev-boun...@openssl.org on behalf of openssl-us...@dukhovni.org> wrote:
>On Tue, Dec 15, 2015 at 08:04:45PM +0000, Blumenthal, Uri - 0553 - MITLL >wrote: >> It appears that openssl verify refuses to deal with self-signed >> certificates? > >You mean the command-line utility? Yes. >>$ openssl verify -verbose -purpose sslclient -purpose smimesign test2.pem >> >> test2.pem: CN = test2, C = US >> >> error 20 at 0 depth lookup:unable to get local issuer certificate > >No CAfile, no trust. > >And your particular certificate has: > > X509v3 Basic Constraints: critical > CA:FALSE > >which does prevent it from verifying itself. The "CA:FALSE" >constraint is only really useful in certificates issued from a >different key. No security benefit in setin it in self-signed >certificates. I see. So what you’re saying is if I want self-signed certs to be verifiable that way - they must not have that “non-CA” constraint. Makes sense. If I want to “partially” verify a certificate via the command-line utility - e.g. when I don’t have the issuing certificate at hand, is there a way to tell openssl tool to go just as far as it can *without* climbing up the cert chain? I understand and agree that it significantly reduces the value of the verification - but in some [of my use] cases it is sufficient. If it is not supported now - would it be possible to add such capability as an option? Thanks!
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev