Hi, when I verify an X509 cert against a ca certificate, I found that the cert can pass validation even if it has two instances of X509v3 Basic Constraints, X509v3 Subject Key ids, and authority key ids. Seems that some issues are not important in verification. (I guess one reason is that one subject key id is the same as the authority key id, and thus openssl may regard it as a self-signed certificate? ) Should this be forbidden? command: openssl verify -x509_strict -verbose -CAfile myroot.pem mycert.pem -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150405/4ace5ce9/attachment-0001.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: myroot.pem Type: application/x-x509-ca-cert Size: 1815 bytes Desc: not available URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150405/4ace5ce9/attachment-0002.crt> -------------- next part -------------- A non-text attachment was scrubbed... Name: myfile.pem Type: application/x-x509-ca-cert Size: 2612 bytes Desc: not available URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150405/4ace5ce9/attachment-0003.crt>
