> On Dec 15, 2015, at 4:21 PM, Blumenthal, Uri - 0553 - MITLL <u...@ll.mit.edu> > wrote: > >> And your particular certificate has: >> >> X509v3 Basic Constraints: critical >> CA:FALSE >> >> which does prevent it from verifying itself. The "CA:FALSE" >> constraint is only really useful in certificates issued from a >> different key. No security benefit in setin it in self-signed >> certificates. > > I see. So what you’re saying is if I want self-signed certs to be > verifiable that way - they must not have that “non-CA” constraint. Makes > sense.
Yes, that's what I'm saying. > If I want to “partially” verify a certificate via the command-line utility > - e.g. when I don’t have the issuing certificate at hand, is there a way > to tell openssl tool to go just as far as it can *without* climbing up the > cert chain? I understand and agree that it significantly reduces the value > of the verification - but in some [of my use] cases it is sufficient. If > it is not supported now - would it be possible to add such capability as > an option? What does "partially verify mean? Without the issuer's public key, you can't check the signature, so all you can do is *parse* the certificate, but you can't *verify* it. The "x509" utility parses certificates, what do you want to do that goes beyond parsing, but stops short of checking the issuer signature? -- Viktor. _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev