Browse code
check-fullchain: improve openssl verify command.
| ... | ... |
@@ -109,7 +109,10 @@ function pem_check_chain {
|
| 109 | 109 |
echo "[!!] This certificate's subject key identifier does NOT match the previous certificate's authority key identifier." |
| 110 | 110 |
fi |
| 111 | 111 |
|
| 112 |
- local verify_cmd=(openssl verify -partial_chain -trusted "${pem}" "${prev_pem}")
|
|
| 112 |
+ # Use -CAfile instead of -trusted to ensure openssl will trust ONLY the |
|
| 113 |
+ # current certificate; this is useful is the previous certificate |
|
| 114 |
+ # happens to be in openssl's system-wide CA store. |
|
| 115 |
+ local verify_cmd=(openssl verify -partial_chain -CAfile "${pem}" "${prev_pem}")
|
|
| 113 | 116 |
if "${verify_cmd[@]}" > verify_out 2>&1; then
|
| 114 | 117 |
echo "[ok] ${verify_cmd[*]} succeeded"
|
| 115 | 118 |
else |