x509certificate - verify x509 certificate with openssl to be valid and signed by trusted CAs

Question

In a shell script I want to verify a x509 certificate with openssl to be shure that it is valid and signed by one of my root CAs. I tried this:

openssl verify -CAfile /path/to/CAfile mycert.pem

It works but for a self signed certificate I get the output:

error 18 at 0 depth lookup:self signed certificate
OK

The error is shown but it ends with OK and the status code is 0 so I don't get an error in my script. I could parse the output but that's not a robust code for a secure production environment. I need a command that yields an error on self signed certificates.

EDIT

% openssl version 
OpenSSL 1.0.2k-fips  26 Jan 2017
% cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.9 (Maipo)

works with openssl 1.1.1

question from:https://stackoverflow.com/questions/65904954/verify-x509-certificate-with-openssl-to-be-valid-and-signed-by-trusted-cas

Answer 1

Using your code, a dummy CA and a dummy self-signed cert I cannot replicate your results. Please update your example or include the openssl version.

Last output line is error: mycert.pem: verification failed and the return code is 2 (echo $?) as opposed to the OK message with a 0 return code. I also get the error 18 self-signed message you received. I am using openssl 1.1.1i.

Error 18 is in fact, a robust error code and is documented in the openssl verify man page as the code specifically for self signed certificates.