2021-06-04 - very much invalid self-signed certificate

X.509 certificates are not issued for private networks (as these are not unique). while it does make sense, it often means that the only secure way of deploying HTTPS in some organizations is to issue a self-signed certificate. it is also a very often practice in R&D, for temporary/test/dev instances.

R&D setup in one of our test deployments was no different here… except it did not worked with some clients. it however did work just fine for others. it took some digging into the subject, to find out that that fact it worked for some clients was a bug in and older OpenSSL library. the thing is that self-signed certificate must have “CA” flag set to true, in order to be valid (i.e. it must form a 1-element chain of trust). if it does not, technically the certificate is invalid.

you normally do not see this, since OpenSSL by default makes self-signed certificates marked as CAs. in our case the issue was that some1 user non-standard settings, when creating certificate, and missed that particular detail. since it worked with his browser, all looked good at a glance. well – in any system, that is complex enough, there will always be some discrepancy between specification and implementation.

blog/2021/06/04/2021-06-04_-_very_much_invalid_self-signed_certificate.txt · Last modified: 2021/06/15 20:09 (external edit)
Back to top
Valid CSS Driven by DokuWiki Recent changes RSS feed Valid XHTML 1.0