Re: [openssl-dev] Cannot verify self-signed certificates?

> On Dec 15, 2015, at 5:56 PM, Blumenthal, Uri - 0553 - MITLL > wrote: > > And without a decent description of what it is supposed to do, I’m a bit > lost... The "-partial_chain" option is (partially :-) documented at:

Re: [openssl-dev] Cannot verify self-signed certificates?

On Wed, Dec 16, 2015 at 06:56:59PM -0500, Viktor Dukhovni wrote: > As a final note, with "-partial_chain" any certificate always verifies against > itself regardless of purpose or basic constraints. Thus, for example: > >$ openssl verify -partial_chain -purpose crlsign foo.pem foo.pem > >

[openssl-dev] Cannot verify self-signed certificates?

It appears that openssl verify refuses to deal with self-signed certificates? Is it the expected/intended behavior? I can easily imagine circumstances when a user would be happy with a “partial” validation, i.e. with validating as much as practically possible – like consistency, correctness of the

Re: [openssl-dev] Cannot verify self-signed certificates?

On Tue, Dec 15, 2015 at 08:04:45PM +, Blumenthal, Uri - 0553 - MITLL wrote: > It appears that openssl verify refuses to deal with self-signed > certificates? You mean the command-line utility? $ openssl x509 -in rootcert.pem -subject -issuer subject= CN = Root CA issuer= CN =

Re: [openssl-dev] Cannot verify self-signed certificates?

>>If I want to “partially” verify a certificate via the command-line >>utility >> - e.g. when I don’t have the issuing certificate at hand, is there a way >> to tell openssl tool to go just as far as it can *without* climbing up >>the >> cert chain? I understand and agree that it significantly

Re: [openssl-dev] Cannot verify self-signed certificates?

-- From: openssl-dev [mailto:openssl-dev-boun...@openssl.org] On Behalf Of Viktor Dukhovni Sent: Tuesday, December 15, 2015 1:36 PM To: openssl-dev@openssl.org Subject: Re: [openssl-dev] Cannot verify self-signed certificates? > On Dec 15, 2015, at 4:21 PM, Blumenthal, Uri - 0553 - MITLL <

Re: [openssl-dev] Cannot verify self-signed certificates?

> On Dec 15, 2015, at 5:00 PM, Nounou Dadoun wrote: > > I have actually asked a variant on this question in the path, I would > rephrase it as I have a certificate chain which doesn't go all the way back > to a self-signed cert. But I "trust" the highest

Re: [openssl-dev] Cannot verify self-signed certificates?

On 12/15/15, 17:51 , "openssl-dev on behalf of Viktor Dukhovni" wrote: >>On Dec 15, 2015, at 5:30 PM, Blumenthal, Uri - 0553 - MITLL >> wrote: >> >>$ openssl verify --help >> usage: verify [-verbose]

Re: [openssl-dev] Cannot verify self-signed certificates?

> On Dec 15, 2015, at 5:30 PM, Blumenthal, Uri - 0553 - MITLL > wrote: > > Also, in your next email you mention “openssl verify -partial_chain”. > Alas, I don’t see this option: > > $ openssl version > OpenSSL 1.0.2e 3 Dec 2015 > $ openssl verify --help > usage: verify

Re: [openssl-dev] Cannot verify self-signed certificates?

On Tue, Dec 15, 2015 at 10:56:59PM +, Blumenthal, Uri - 0553 - MITLL wrote: > $ openssl verify -verbose -CAfile ~/Certs/RabbitMQ_CA.pem -partial_chain > -purpose sslclient RabbitMQ_Dev.pem > RabbitMQ_Dev.pem: OK Well if that CAfile yields a path to a root CA, the "-partial_chain" option

Re: [openssl-dev] Cannot verify self-signed certificates?

On 12/15/15, 15:34 , "openssl-dev on behalf of Viktor Dukhovni" wrote: >On Tue, Dec 15, 2015 at 08:04:45PM +, Blumenthal, Uri - 0553 - MITLL >wrote: >> It appears that openssl verify refuses to deal with self-signed >>