> On Dec 3, 2018, at 1:47 PM, Sands, Daniel via openssl-users <openssl-users@xxxxxxxxxxx> wrote: > > Just wondering, is there a different error for an untrusted cross- > signed root? If it's the same error, then maybe remove "self-signed" > from the above message too, because that would not always be the case > either. A cross-signed CA certificate is not self-signed (or even self-issued), the two are mutually exclusive: This specification covers two classes of certificates: CA certificates and end entity certificates. CA certificates may be further divided into three classes: cross-certificates, self-issued Cooper, et al. Standards Track [Page 12] RFC 5280 PKIX Certificate and CRL Profile May 2008 certificates, and self-signed certificates. Cross-certificates are CA certificates in which the issuer and subject are different entities. Cross-certificates describe a trust relationship between the two CAs. Self-issued certificates are CA certificates in which the issuer and subject are the same entity. Self-issued certificates are generated to support changes in policy or operations. Self- signed certificates are self-issued certificates where the digital signature may be verified by the public key bound into the certificate. Self-signed certificates are used to convey a public key for use to begin certification paths. End entity certificates are issued to subjects that are not authorized to issue certificates. In OpenSSL there's no such thing as a "cross-signed root", the constructed chain contains a leaf certificate, some set of cross-signed or self-issued intermediate certificates, and finally a self-signed "root" (ignoring for the moment support for "partial chains" and DANE). -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
