Si solo está utilizando el certificado para la clave pública, ¿por qué molestarse en llamar a validar? Si desea saber que el archivo no está dañado, no lo está ... o habría recibido un error muy diferente.
El algoritmo de validación está molesto porque tiene una extensión de uso de clave que no especifica el uso de firma de certificado. En futuras revisiones del certificado, agregue el uso de firma de certificado u omita la extensión de uso de clave por completo.
Si tuviera que editar el certificado para eliminar la extensión, la firma no funcionaría para la clave pública, por lo que el certificado sería autoemitido, pero no autofirmado ... lo que significa que debe haber un padre certificado en alguna parte Así que realmente no resuelve ningún problema para ti. La respuesta efectiva es "no, necesita la clave privada para volver a emitir un certificado autofirmado".
Datos del experimento:
ss_badku.cer
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2818056532535039313 (0x271bbf7c52b85551)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=Experiment
Validity
Not Before: Jan 26 15:00:55 2018 GMT
Not After : Jan 26 16:00:55 2028 GMT
Subject: CN=Experiment
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (512 bit)
Modulus:
00:9b:6a:6e:37:39:84:57:04:53:34:64:3e:73:f0:
76:c1:9d:04:e5:81:37:02:cc:6d:02:f7:5d:38:3a:
2e:b0:5f:5b:42:ad:67:52:cc:88:95:46:92:50:b7:
30:6b:c5:c6:36:e3:8c:48:24:6a:1c:5a:dd:92:1a:
25:44:c8:61:13
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication, Code Signing
X509v3 Subject Key Identifier:
5F:59:83:8E:FB:D3:13:BD:70:5F:E9:38:C3:A3:D9:49:F6:F4:BD:31
X509v3 Key Usage: critical
Key Encipherment
Signature Algorithm: sha256WithRSAEncryption
95:49:6c:90:bb:87:92:54:ba:c9:1b:a6:98:7a:9e:29:15:b7:
b0:c7:75:fa:e2:66:4c:79:74:71:69:e3:17:cf:dc:6f:90:a2:
f4:f1:7f:51:cd:7c:14:ed:6f:7d:32:55:55:41:8d:91:d2:31:
2d:76:b0:6c:3f:76:6e:41:40:61
-----BEGIN CERTIFICATE-----
MIIBfDCCASagAwIBAgIIJxu/fFK4VVEwDQYJKoZIhvcNAQELBQAwFTETMBEGA1UE
AxMKRXhwZXJpbWVudDAeFw0xODAxMjYxNTAwNTVaFw0yODAxMjYxNjAwNTVaMBUx
EzARBgNVBAMTCkV4cGVyaW1lbnQwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm2pu
NzmEVwRTNGQ+c/B2wZ0E5YE3AsxtAvddODousF9bQq1nUsyIlUaSULcwa8XGNuOM
SCRqHFrdkholRMhhEwIDAQABo1owWDAnBgNVHSUEIDAeBggrBgEFBQcDAQYIKwYB
BQUHAwIGCCsGAQUFBwMDMB0GA1UdDgQWBBRfWYOO+9MTvXBf6TjDo9lJ9vS9MTAO
BgNVHQ8BAf8EBAMCBSAwDQYJKoZIhvcNAQELBQADQQCVSWyQu4eSVLrJG6aYep4p
Fbewx3X64mZMeXRxaeMXz9xvkKL08X9RzXwU7W99MlVVQY2R0jEtdrBsP3ZuQUBh
-----END CERTIFICATE-----
ss_noku.cer
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 10026821066004793515 (0x8b266ca2999e88ab)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=Experiment
Validity
Not Before: Jan 26 15:00:55 2018 GMT
Not After : Jan 26 16:00:55 2028 GMT
Subject: CN=Experiment
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (512 bit)
Modulus:
00:9b:6a:6e:37:39:84:57:04:53:34:64:3e:73:f0:
76:c1:9d:04:e5:81:37:02:cc:6d:02:f7:5d:38:3a:
2e:b0:5f:5b:42:ad:67:52:cc:88:95:46:92:50:b7:
30:6b:c5:c6:36:e3:8c:48:24:6a:1c:5a:dd:92:1a:
25:44:c8:61:13
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication, Code Signing
X509v3 Subject Key Identifier:
5F:59:83:8E:FB:D3:13:BD:70:5F:E9:38:C3:A3:D9:49:F6:F4:BD:31
Signature Algorithm: sha256WithRSAEncryption
72:a1:23:a0:00:c1:e0:dc:9a:11:21:4b:57:aa:42:49:c5:ae:
05:e7:97:43:71:75:2d:33:b2:9f:96:4c:45:4d:80:91:51:5a:
6f:bb:f3:03:67:10:f9:ac:f8:d5:00:b5:4b:85:10:2e:d7:45:
d2:8f:e1:2e:0b:98:dd:e3:3e:fb
-----BEGIN CERTIFICATE-----
MIIBbTCCARegAwIBAgIJAIsmbKKZnoirMA0GCSqGSIb3DQEBCwUAMBUxEzARBgNV
BAMTCkV4cGVyaW1lbnQwHhcNMTgwMTI2MTUwMDU1WhcNMjgwMTI2MTYwMDU1WjAV
MRMwEQYDVQQDEwpFeHBlcmltZW50MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJtq
bjc5hFcEUzRkPnPwdsGdBOWBNwLMbQL3XTg6LrBfW0KtZ1LMiJVGklC3MGvFxjbj
jEgkahxa3ZIaJUTIYRMCAwEAAaNKMEgwJwYDVR0lBCAwHgYIKwYBBQUHAwEGCCsG
AQUFBwMCBggrBgEFBQcDAzAdBgNVHQ4EFgQUX1mDjvvTE71wX+k4w6PZSfb0vTEw
DQYJKoZIhvcNAQELBQADQQByoSOgAMHg3JoRIUtXqkJJxa4F55dDcXUtM7KflkxF
TYCRUVpvu/MDZxD5rPjVALVLhRAu10XSj+EuC5jd4z77
-----END CERTIFICATE-----
ss_ku.cer
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 14221161353214574683 (0xc55bb6e75fde405b)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=Experiment
Validity
Not Before: Jan 26 15:00:55 2018 GMT
Not After : Jan 26 16:00:55 2028 GMT
Subject: CN=Experiment
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (512 bit)
Modulus:
00:9b:6a:6e:37:39:84:57:04:53:34:64:3e:73:f0:
76:c1:9d:04:e5:81:37:02:cc:6d:02:f7:5d:38:3a:
2e:b0:5f:5b:42:ad:67:52:cc:88:95:46:92:50:b7:
30:6b:c5:c6:36:e3:8c:48:24:6a:1c:5a:dd:92:1a:
25:44:c8:61:13
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication, Code Signing
X509v3 Subject Key Identifier:
5F:59:83:8E:FB:D3:13:BD:70:5F:E9:38:C3:A3:D9:49:F6:F4:BD:31
X509v3 Key Usage: critical
Key Encipherment, Certificate Sign
Signature Algorithm: sha256WithRSAEncryption
5e:eb:47:69:b0:65:c2:c1:d8:ee:85:0d:66:ae:76:96:ab:47:
bc:dd:ea:2e:c8:f6:bf:1d:c2:1f:d3:e6:f0:ca:1a:80:5d:00:
7c:a5:cd:2b:0d:b9:b1:31:84:f9:ed:75:72:5a:31:82:ef:c3:
9e:7e:16:b3:68:aa:89:8a:80:52
-----BEGIN CERTIFICATE-----
MIIBfTCCASegAwIBAgIJAMVbtudf3kBbMA0GCSqGSIb3DQEBCwUAMBUxEzARBgNV
BAMTCkV4cGVyaW1lbnQwHhcNMTgwMTI2MTUwMDU1WhcNMjgwMTI2MTYwMDU1WjAV
MRMwEQYDVQQDEwpFeHBlcmltZW50MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJtq
bjc5hFcEUzRkPnPwdsGdBOWBNwLMbQL3XTg6LrBfW0KtZ1LMiJVGklC3MGvFxjbj
jEgkahxa3ZIaJUTIYRMCAwEAAaNaMFgwJwYDVR0lBCAwHgYIKwYBBQUHAwEGCCsG
AQUFBwMCBggrBgEFBQcDAzAdBgNVHQ4EFgQUX1mDjvvTE71wX+k4w6PZSfb0vTEw
DgYDVR0PAQH/BAQDAgIkMA0GCSqGSIb3DQEBCwUAA0EAXutHabBlwsHY7oUNZq52
lqtHvN3qLsj2vx3CH9Pm8MoagF0AfKXNKw25sTGE+e11cloxgu/Dnn4Ws2iqiYqA
Ug==
-----END CERTIFICATE-----
Y la ejecución:
$ openssl verify ss_badku.cer ss_noku.cer ss_ku.cer
ss_badku.cer: CN = Experiment
error 20 at 0 depth lookup:unable to get local issuer certificate
ss_noku.cer: CN = Experiment
error 18 at 0 depth lookup:self signed certificate
OK
ss_ku.cer: CN = Experiment
error 18 at 0 depth lookup:self signed certificate
OK