On 2020-03-03 08:19, Viktor Dukhovni wrote:
On Mon, Mar 02, 2020 at 01:48:20PM +0530, shiva kumar wrote:
when I tried to verify the the self signed certificate in OpenSSL 1.0.2 it
is giving error 18 and gives OK as o/p, when I tried the same with OpenSSL
1.1.1 there is slight change in the behavior it also gives the same error,
but instead of OK it gives different error as "*ca.crt: verification failed*"
as follows.
The 1.1.1 behaviour is correct. But you also don't seem to have a clear
idea of what it means to "verify" a self-signed certificate. Indeed
most likely you don't actually want to verify it at all, and are really
trying to solve other problem, which you've decided involves verifying
the certificate in question. So it is likely best to describe the
*actual* issue you're trying to solve.
Depends heavily if you formally interpret a self-signed and self-issued
end cert as a CA issuing itself (thus requiring CA:TRUE and making it
invalid as an end cert) or as an end cert with no separate CA chain
(thus requiring CA:FALSE and making it not trusted as a CA for any other
certificate).
Either way, the typical case is to use such a self-signed and self-issued
cert in the various OpenSSL supported protocols (SSL, TLS, CMS etc.)
However, that said:
openssl verify ./ca.crt
This command verifies the certificate in question by trying to find in
the default store a chain of issuers leading up to a trust anchor
(typically a self-signed root CA).
But a self-signed certificate is self-issued, so unless it is itself
present in the trust store, no possible issuer can be found there. So
verification must always fail, and so it does.
why I'm getting this error?
Well ultimately because you don't know what you're trying to do,
but specifically because the certificate is not issued by an
already trusted issuer.
is this an expected behavior in OpenSSL 1.1.1?
Yes.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded