On Mon, 16 Aug 2021 16:30:05 +0200,
Ken Goldman wrote:
>
> On 8/16/2021 10:04 AM, Viktor Dukhovni wrote:
> >> It seems as though the 'verify' command checks the issuer,
> >> but not the signature of the certificate - the last parameter.
> >
> > As documented.
>
> Then I am not understanding the d
As documented, the self-signature checks on self-signed certs are by
default skipped. If your trust store can be modified by untrusted
actors, self-signature checks won't help you.
If you want to check the self-signature, pass the "-check_ss_sig"
option.
--
Viktor.
On 8/16/2021 10:04 AM, Viktor Dukhovni wrote:
It seems as though the 'verify' command checks the issuer,
but not the signature of the certificate - the last parameter.
>
As documented.
Then I am not understanding the documentation.
https://www.openssl.org/docs/man1.1.1/man1/verify.html
says
> On 16 Aug 2021, at 9:41 am, Ken Goldman wrote:
>
> Adding -check_ss_sig correctly causes a signature failure.
Well, there you are. See the documentation of "check_ss_sig":
-check_ss_sig
Verify the signature on the self-signed root CA. This is
disabled by default because it d
It doesn't seem to be verifying the signature on the certificate
parameter. Version 1.1.1k.
I create an incorrectly signed self signed certificate and convert it from
der to pem.
A basic
openssl verify -CAfile c1.pem c1.pem
Returns OK, even though the signature is bad. Why?
Editing
