What will it happen when a certificate has an empty issuer?
I recently created a certificate chain, on which some certificates
happen to have “empty” issuers/subjects. Clearly, these certificates
violate Section 22.214.171.124, RFC5280: “The issuer field MUST contain
a non-empty distinguished name (DN)”. Meanwhile, the chain can
still pass certificate verification. Does openssl have a bug here?
(Or do I have some misunderstandings on openssl in its parsing or
verification procedure?) Will it cause any further problems in
The command I used is:
openssl verify --show_chain --CAfile 5009_root.pem 5009_leaf.pem