> On 16 Aug 2021, at 9:41 am, Ken Goldman <kgold...@us.ibm.com> wrote: > > Adding -check_ss_sig correctly causes a signature failure.
Well, there you are. See the documentation of "check_ss_sig":
-check_ss_sig
Verify the signature on the self-signed root CA. This is
disabled by default because it doesn't add any security.
> It seems as though the 'verify' command checks the issuer,
> but not the signature of the certificate - the last parameter.
As documented.
--
Viktor.
