I have actually asked a variant on this question in the path, I would rephrase it as I have a certificate chain which doesn't go all the way back to a self-signed cert. But I "trust" the highest certificate in the chain that I have; is there a way of telling openssl that once it hits this "trusted" certificate, it can stop and return the result. As I recall, the answer was no .. N
Nou Dadoun Senior Firmware Developer, Security Specialist Office: 604.629.5182 ext 2632 Support: 888.281.5182 | avigilon.com Follow Twitter | Follow LinkedIn This email, including any files attached hereto (the “email”), contains privileged and confidential information and is only for the intended addressee(s). If this email has been sent to you in error, such sending does not constitute waiver of privilege and we request that you kindly delete the email and notify the sender. Any unauthorized use or disclosure of this email is prohibited. Avigilon and certain other trade names used herein are the registered and/or unregistered trademarks of Avigilon Corporation and/or its affiliates in Canada and other jurisdictions worldwide. -----Original Message----- From: openssl-dev [mailto:openssl-dev-boun...@openssl.org] On Behalf Of Viktor Dukhovni Sent: Tuesday, December 15, 2015 1:36 PM To: openssl-dev@openssl.org Subject: Re: [openssl-dev] Cannot verify self-signed certificates? > On Dec 15, 2015, at 4:21 PM, Blumenthal, Uri - 0553 - MITLL <u...@ll.mit.edu> > wrote: > >> And your particular certificate has: >> >> X509v3 Basic Constraints: critical >> CA:FALSE >> >> which does prevent it from verifying itself. The "CA:FALSE" >> constraint is only really useful in certificates issued from a >> different key. No security benefit in setin it in self-signed >> certificates. > > I see. So what you’re saying is if I want self-signed certs to be > verifiable that way - they must not have that “non-CA” constraint. > Makes sense. Yes, that's what I'm saying. > If I want to “partially” verify a certificate via the command-line > utility > - e.g. when I don’t have the issuing certificate at hand, is there a > way to tell openssl tool to go just as far as it can *without* > climbing up the cert chain? I understand and agree that it > significantly reduces the value of the verification - but in some [of > my use] cases it is sufficient. If it is not supported now - would it > be possible to add such capability as an option? What does "partially verify mean? Without the issuer's public key, you can't check the signature, so all you can do is *parse* the certificate, but you can't *verify* it. The "x509" utility parses certificates, what do you want to do that goes beyond parsing, but stops short of checking the issuer signature? -- Viktor. _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
