> On Dec 15, 2015, at 5:56 PM, Blumenthal, Uri - 0553 - MITLL
> wrote:
>
> And without a decent description of what it is supposed to do, I’m a bit
> lost...
The "-partial_chain" option is (partially :-) documented at:
On Wed, Dec 16, 2015 at 06:56:59PM -0500, Viktor Dukhovni wrote:
> As a final note, with "-partial_chain" any certificate always verifies against
> itself regardless of purpose or basic constraints. Thus, for example:
>
>$ openssl verify -partial_chain -purpose crlsign foo.pem foo.pem
>
>
It appears that openssl verify refuses to deal with self-signed
certificates? Is it the expected/intended behavior? I can easily imagine
circumstances when a user would be happy with a “partial” validation, i.e.
with validating as much as practically possible – like consistency,
correctness of the
On Tue, Dec 15, 2015 at 08:04:45PM +, Blumenthal, Uri - 0553 - MITLL wrote:
> It appears that openssl verify refuses to deal with self-signed
> certificates?
You mean the command-line utility?
$ openssl x509 -in rootcert.pem -subject -issuer
subject= CN = Root CA
issuer= CN =
>>If I want to “partially” verify a certificate via the command-line
>>utility
>> - e.g. when I don’t have the issuing certificate at hand, is there a way
>> to tell openssl tool to go just as far as it can *without* climbing up
>>the
>> cert chain? I understand and agree that it significantly
--
From: openssl-dev [mailto:openssl-dev-boun...@openssl.org] On Behalf Of Viktor
Dukhovni
Sent: Tuesday, December 15, 2015 1:36 PM
To: openssl-dev@openssl.org
Subject: Re: [openssl-dev] Cannot verify self-signed certificates?
> On Dec 15, 2015, at 4:21 PM, Blumenthal, Uri - 0553 - MITLL <
> On Dec 15, 2015, at 5:00 PM, Nounou Dadoun wrote:
>
> I have actually asked a variant on this question in the path, I would
> rephrase it as I have a certificate chain which doesn't go all the way back
> to a self-signed cert. But I "trust" the highest
On 12/15/15, 17:51 , "openssl-dev on behalf of Viktor Dukhovni"
wrote:
>>On Dec 15, 2015, at 5:30 PM, Blumenthal, Uri - 0553 - MITLL
>> wrote:
>>
>>$ openssl verify --help
>> usage: verify [-verbose]
> On Dec 15, 2015, at 5:30 PM, Blumenthal, Uri - 0553 - MITLL
> wrote:
>
> Also, in your next email you mention “openssl verify -partial_chain”.
> Alas, I don’t see this option:
>
> $ openssl version
> OpenSSL 1.0.2e 3 Dec 2015
> $ openssl verify --help
> usage: verify
On Tue, Dec 15, 2015 at 10:56:59PM +, Blumenthal, Uri - 0553 - MITLL wrote:
> $ openssl verify -verbose -CAfile ~/Certs/RabbitMQ_CA.pem -partial_chain
> -purpose sslclient RabbitMQ_Dev.pem
> RabbitMQ_Dev.pem: OK
Well if that CAfile yields a path to a root CA, the "-partial_chain"
option
On 12/15/15, 15:34 , "openssl-dev on behalf of Viktor Dukhovni"
wrote:
>On Tue, Dec 15, 2015 at 08:04:45PM +, Blumenthal, Uri - 0553 - MITLL
>wrote:
>> It appears that openssl verify refuses to deal with self-signed
>>
11 matches
Mail list logo