> From: openssl-users <openssl-users-bounces@xxxxxxxxxxx> On Behalf Of Mark > Hack > Sent: Thursday, 1 April, 2021 07:45 > To: openssl-users@xxxxxxxxxxx > Subject: Re: Why does OpenSSL report google's certificate is "self-signed"? > > RFC6066 > > Note that when a list of URLs for X.509 certificates is used, the > ordering of URLs is the same as that used in the TLS Certificate > message (see [RFC5246], Section 7.4.2), but opposite to the order in > which certificates are encoded in PkiPath. In either case, the > self-signed root certificate MAY be omitted from the chain, under the > assumption that the server must already possess it in order to > validate it. Thanks! I thought I'd seen something about the question in some standard. Having seen this, I see that RFC 8446 (TLSv1.3) has essentially the same language: "a certificate that specifies a trust anchor MAY be omitted from the chain" (4.4.2). So servers are good either way. -- Michael Wojcik
