Browse code

check-fullchain: improve openssl verify command.

Xavier G authored on 18/03/2021 20:39:49
Showing 1 changed files

... ...
@@ -109,7 +109,10 @@ function pem_check_chain {
109 109
 			echo "[!!] This certificate's subject key identifier does NOT match the previous certificate's authority key identifier."
110 110
 		fi
111 111
 
112
-		local verify_cmd=(openssl verify -partial_chain -trusted "${pem}" "${prev_pem}")
112
+		# Use -CAfile instead of -trusted to ensure openssl will trust ONLY the
113
+		# current certificate; this is useful is the previous certificate
114
+		# happens to be in openssl's system-wide CA store.
115
+		local verify_cmd=(openssl verify -partial_chain -CAfile "${pem}" "${prev_pem}")
113 116
 		if "${verify_cmd[@]}" > verify_out 2>&1; then
114 117
 			echo "[ok] ${verify_cmd[*]} succeeded"
115 118
 		else