问题
In a shell script I want to verify a x509 certificate with openssl to be shure that it is valid and signed by one of my root CAs. I tried this:
openssl verify -CAfile /path/to/CAfile mycert.pem
It works but for a self signed certificate I get the output:
error 18 at 0 depth lookup:self signed certificate
OK
The error is shown but it ends with OK and the status code is 0 so I don't get an error in my script. I could parse the output but that's not a robust code for a secure production environment. I need a command that yields an error on self signed certificates.
EDIT
% openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017
% cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.9 (Maipo)
works with openssl 1.1.1
回答1:
Using your code, a dummy CA and a dummy self-signed cert I cannot replicate your results. Please update your example or include the openssl version.
Last output line is error: mycert.pem: verification failed
and the return code is 2 (echo $?
) as opposed to the OK message with a 0 return code. I also get the error 18 self-signed message you received. I am using openssl 1.1.1i.
Error 18 is in fact, a robust error code and is documented in the openssl verify man page as the code specifically for self signed certificates.
来源:https://stackoverflow.com/questions/65904954/verify-x509-certificate-with-openssl-to-be-valid-and-signed-by-trusted-cas