Holger Reif writes:
>Ian Alderman schrieb:
>>
>> I'm trying to use 'openssl verify' to verify a certificate chain for
>> which I have (and trust) the root CA certificate.
>>
>> Verify just returns 'OK' whenever there's any self-signed certificate
>> anywhere in the certificate chain. I can't figure out how to specify
>> that my root CA certificate is the only acceptable one. Any ideas?
>
>openssl verify - CAfile your_root_cert.pem ...
If I run:
openssl verify -CAfile my_root_cert.pem some_random_self_signed.pem
I get:
some_random_self_signed.pem: OK
But it wasn't signed by my_root_cert at all.
It returns OK because the cb function in verify.c returns a 1 for
X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT; but it's not the right self
signed cert.
I'm willing to modify the source to the cb function; I'm just not sure
what the best (secure) way to confirm that the depth zero self signed
cert is the right one. Or, at least, not the one I'm trying to verify.
>> Suppose I'm trying to authenticate something using verify. All they
>> have to do is give me a self-signed certificate and it verifies fine.
>> This doesn't seem too secure. How can I prevent this?
>>
>> Also, in the same code (the 'cb' function in apps/verify.c), expired
>> certificates are accepted. Why is this? I would think that expired
>> certificates in the certificate chain should be an error rather than
>> just a warning.
>>
>> I also can't get the -CApath option to work. I think openssl just
>> ignores files in the directory I specify using this option. Is there
>> something I'm missing?
>
>Maybe the hash links. Every file needs to have a name
>(or a link with that name) that matches the hash of the
>issuer name. Use openssl x509 -hash to produce the hash
That's just the thing. Thanks.
Cheers,
-Ian
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
