On 31/03/21 19:43, Michael Wojcik wrote:
The only thing I'd like to add to this is that whenever I *do* include
the root anchor in a website and run Qualys' ssllabs test on it, I get a
From: openssl-users <openssl-users-boun...@openssl.org> On Behalf Of Viktor
Sent: Wednesday, 31 March, 2021 10:31
Subject: Re: Why does OpenSSL report google's certificate is "self-signed"?
It looks like Google includes a self-signed root CA in the wire
certificate chain, and if no match is found in the trust store,
you'll get the reported error.
What do people think about this practice of including the root in the chain?
As far as I can see, neither PKIX (RFC 5280) nor the CA/BF Baseline Requirements say
anything about the practice, though I may have missed something. I had a vague memory
that some standard or "best practice" guideline somewhere said the server
should send the chain up to but not including the root, but I don't know what that might
On the one hand, including the root doesn't help with path validation: either
some certificate along the chain is a trust anchor already, in which case
there's no need to include the root; or it isn't, in which case the peer has no
reason to trust the chain.
On the other, it's useful for debugging, and perhaps for quickly finding
whether the highest intermediate in the chain is signed by a trusted root if
that intermediate is missing an AKID (though we'd hope that isn't the case).
I can also see an application deferring trust to the user in this case: "this chain
ends in this root, which you don't currently trust, but maybe you'd like to add
it?". Which doesn't seem like a great plan either -- and PKIX says trust anchors
should be added using a trustworthy out-of-band procedure, which this is not -- but I
suppose it's a conceivable use case.
Additional Certificates (if supplied)
Certificates provided 3 (5051 bytes)
*Chain issues Contains anchor*
Unfortunately their documentation does not state *why* they print out
this warning or why it would be bad, but I normally remove the trust
anchor from the webserver certificate chain nevertheless. It could very
well be that I'm not the only web admin that follows their advice in
JJK / Jan Just Keijser