In a shell script I want to verify a x509 certificate with openssl to be sure that it is valid and signed by one of my root CAs. I tried this:
openssl verify -CAfile /path/to/CAfile mycert.pem
It works but for a self signed certificate I get the output:
error 18 at 0 depth lookup:self signed certificate
OK
The error is shown but it ends with OK and the status code is 0 so I don't get an error in my script.
I could parse the output but that's not a robust code for a secure production environment.
I need a command that yields an error on self signed certificates.
EDIT
% openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017
% cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.9 (Maipo)
works with openssl 1.1.1
Using your code, a dummy CA and a dummy self-signed cert I cannot replicate your results. Please update your example or include the openssl version.
Last output line is error: mycert.pem: verification failed and the return code is 2 (echo $?) as opposed to the OK message with a 0 return code. I also get the error 18 self-signed message you received. I am using openssl 1.1.1i.
Error 18 is in fact, a robust error code and is documented in the openssl verify man page as the code specifically for self signed certificates.