Traditionally the term "self-signed" applied to certificates that are NOT signed by anybody but the owner of the given key pair. With all the relevant security implications.
What is the purpose of checking for "self-signed cert"? To see if only the owner signed that key? Of to see that key owner ALSO signed the key? > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Goetz > Babin-Ebell > Sent: Wednesday, October 25, 2006 11:49 > To: openssl-users@openssl.org > Subject: Re: How to check if the certificate is self signed > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Ambarish Mitra schrieb: > Hello Ambarish, > > > On Wed, Oct 25, 2006, Goetz Babin-Ebell wrote: > > > >> openssl verify -CAfile self_signed_cert.pem self_signed_cert.pem > >> should return: > >> self_signed_cert.pem: OK > > > > Maestro Steve appended: > > > >> Indeed, technically a certificate with issuer and subject names > >> identical is self-issued and may or may not be self > signed. It has to > >> be signed with its own key to be self signed which the > above command checks. > > > > Is there a difference between certificate "issue" and "sign"? I was > > under the impression that a certificate is said to be > issued only when > > it is signed. Can there be a case when a cert is issued, but is not > > signed? Please enlighten. > > A certificate is _issued_ by a CA authority with a given name. > But a certificate is _signed_ by a private key. > > It is always possible to have more than one certificate with > the same subject name. > > Only the combination issuer name / serial number must be unique. > (Last time I checked OpenSSL has problems with more than one > CA certificate with the subject name...) > > Let assume the following scenario: > * CA1: subj: CN=CA, issr: CN=CA, Ser: 1, Key: #1, signed: Key #1 > * CA2: subj: CN=CA, issr: CN=CA, Ser: 2, Key: #2, Signed: Key #2 > * Usr1: subj: CN=User1, issr: CN=CA, Ser: 3, Key: #3, Signed: Key #1 > * Usr2: subj: CN=User2, issr: CN=CA, Ser: 4, Key: #4, Signed: Key #2 > > As far as I remember X509 does not totally disallow this, but > OpenSSL will have problems to verify the user certificates: > > All certificates are issued by the CA with the name "CN=CA", > but they are signed alternatively by the keys #1 and #2... > > Bye > > Goetz > > - -- > DMCA: The greed of the few outweighs the freedom of the many > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFFP4da2iGqZUF3qPYRAr7aAJwIfipWcSzyWupBwYr8TU23MGeDkQCghPFR > xiztkrNLS6ypH3GZUICmUnc= > =B59/ > -----END PGP SIGNATURE----- > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager > [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
