今天这个问题有两个更好的答案:

there are two better answers on this question today:

• https://***.com/a/57927684/377270
• https://***.com/a/14515875/377270

但是，我认为还有一些更重要的问题需要解决——为什么人们想了解自签名证书.目标是什么?正在解决什么问题?可能试图将证书分成两堆，自签名和非自签名，对于大多数情况来说是错误的方法.几乎可以肯定，更好的方法是验证任何给定证书是否具有来自受信任证书颁发机构的有效签名链，以及与给定证书关联的任何连接是否与证书匹配.

However, I think there's something more important to address -- why would one want to know about self-signed certificates. What's the goal? What problem is being solved? Probably trying to split certificates into two piles, self-signed and not-self-signed, is the wrong approach for most situations. The better approach is almost certainly going to be verifying that any given certificate has a valid signature chain from a trusted certificate authority, and that any connections associated with a given certificate matches the certificate.

这是我原始答案的其余部分.这可能不是你想要的.

Here's the rest of my original answer. It's probably not what you want.

有点hacky，但是openssl x509命令可以同时报告issuer和subject.如果主题和发行者相同，则为自签名；如果它们不同，那么它是由 CA 签署的.(严格来说，很多自签名证书也由 CA 签名——他们自己.)

It's a bit hacky, but the openssl x509 command can report both the issuer and the subject. If the subject and issuer are the same, it is self-signed; if they are different, then it was signed by a CA. (Strictly speaking, a great many self-signed certificates are also signed by a CA -- themselves.)

在测试这个理论时，我进行了一些测试；它运行类似:

While testing this theory, I ran a handful of tests; it runs something like:

cd /etc/ssl/certs
for f in *.0 ; do openssl x509 -in $f -issuer | head -1 > /tmp/$f.issuer ; openssl x509 -in $f -subject | head -1 > /tmp/$f.subject ; done
 cd /tmp
 sed -i -e s/issuer=// *.issuer
 sed -i -e s/subject=// *.subject
 cd /etc/ssl/certs/
 for f in *.0 ; do diff -u /tmp/$f.issuer /tmp/$f.subject ; done

希望这会有所帮助.