1999-11-29 09:09:25 +08:00
|
|
|
=pod
|
2019-10-31 11:35:08 +08:00
|
|
|
{- OpenSSL::safe::output_do_not_edit_headers(); -}
|
2019-10-13 05:45:56 +08:00
|
|
|
|
1999-11-29 09:09:25 +08:00
|
|
|
=head1 NAME
|
|
|
|
|
2020-02-19 00:52:12 +08:00
|
|
|
openssl-verify - certificate verification command
|
1999-11-29 09:09:25 +08:00
|
|
|
|
|
|
|
=head1 SYNOPSIS
|
|
|
|
|
|
|
|
B<openssl> B<verify>
|
2016-02-06 00:58:45 +08:00
|
|
|
[B<-help>]
|
2019-09-26 03:20:11 +08:00
|
|
|
[B<-CRLfile> I<file>]
|
2015-06-25 19:34:38 +08:00
|
|
|
[B<-crl_download>]
|
2015-06-25 19:28:28 +08:00
|
|
|
[B<-show_chain>]
|
2019-10-13 05:45:56 +08:00
|
|
|
[B<-sm2-id> I<hexstring>]
|
|
|
|
[B<-sm2-hex-id> I<hexstring>]
|
|
|
|
[B<-verbose>]
|
|
|
|
[B<-trusted> I<file>]
|
|
|
|
[B<-untrusted> I<file>]
|
2019-10-25 11:02:09 +08:00
|
|
|
{- $OpenSSL::safe::opt_name_synopsis -}
|
2019-10-13 05:45:56 +08:00
|
|
|
{- $OpenSSL::safe::opt_trust_synopsis -}
|
2019-10-13 05:45:56 +08:00
|
|
|
{- $OpenSSL::safe::opt_engine_synopsis -}
|
2019-10-13 05:45:56 +08:00
|
|
|
{- $OpenSSL::safe::opt_v_synopsis -}
|
2020-02-25 12:29:30 +08:00
|
|
|
{- $OpenSSL::safe::opt_provider_synopsis -}
|
2019-10-02 23:13:03 +08:00
|
|
|
[B<-->]
|
2019-10-02 00:16:29 +08:00
|
|
|
[I<certificate> ...]
|
1999-11-29 09:09:25 +08:00
|
|
|
|
2019-10-11 23:52:12 +08:00
|
|
|
=for openssl ifdef engine sm2-id sm2-hex-id
|
2019-09-23 07:49:25 +08:00
|
|
|
|
1999-11-29 09:09:25 +08:00
|
|
|
=head1 DESCRIPTION
|
|
|
|
|
Command docs: fix up command references
Almost all OpenSSL commands are in reality 'openssl cmd', so make sure
they are refered to like that and not just as the sub-command.
Self-references are avoided as much as is possible, and replaced with
"this command". In some cases, we even avoid that with a slight
rewrite of the sentence or paragrah they were in. However, in the few
cases where a self-reference is still admissible, they are done in
bold, i.e. openssl-speed.pod references itself like this:
B<openssl speed>
References to other commands are done as manual links, i.e. CA.pl.pod
references 'openssl req' like this: L<openssl-req(1)>
Some commands are examples rather than references; we enclose those in
C<>.
While we are it, we abolish "utility", replacing it with "command", or
remove it entirely in some cases.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10065)
2019-10-02 01:43:36 +08:00
|
|
|
This command verifies certificate chains.
|
1999-11-29 09:09:25 +08:00
|
|
|
|
2016-12-13 00:14:40 +08:00
|
|
|
=head1 OPTIONS
|
1999-11-29 09:09:25 +08:00
|
|
|
|
|
|
|
=over 4
|
|
|
|
|
2016-02-06 00:58:45 +08:00
|
|
|
=item B<-help>
|
|
|
|
|
|
|
|
Print out a usage message.
|
|
|
|
|
2019-10-13 05:45:56 +08:00
|
|
|
=item B<-CAfile> I<file>, B<-no-CAfile>, B<-CApath> I<dir>, B<-no-CApath>
|
1999-11-29 09:09:25 +08:00
|
|
|
|
2019-10-13 05:45:56 +08:00
|
|
|
See L<openssl(1)/Trusted Certificate Options> for more information.
|
1999-11-29 09:09:25 +08:00
|
|
|
|
2019-09-26 03:20:11 +08:00
|
|
|
=item B<-CRLfile> I<file>
|
2014-07-03 10:42:40 +08:00
|
|
|
|
2019-10-02 00:16:29 +08:00
|
|
|
The I<file> should contain one or more CRLs in PEM format.
|
2016-01-16 14:15:02 +08:00
|
|
|
This option can be specified more than once to include CRLs from multiple
|
2019-10-02 00:16:29 +08:00
|
|
|
I<file>s.
|
2014-07-03 10:42:40 +08:00
|
|
|
|
2015-06-25 19:34:38 +08:00
|
|
|
=item B<-crl_download>
|
|
|
|
|
|
|
|
Attempt to download CRL information for this certificate.
|
|
|
|
|
2015-06-25 19:28:28 +08:00
|
|
|
=item B<-show_chain>
|
|
|
|
|
|
|
|
Display information about the certificate chain that has been built (if
|
|
|
|
successful). Certificates in the chain that came from the untrusted list will be
|
|
|
|
flagged as "untrusted".
|
|
|
|
|
2019-10-13 05:45:56 +08:00
|
|
|
=item B<-sm2-id> I<hexstring>
|
2019-03-13 17:22:31 +08:00
|
|
|
|
|
|
|
Specify the ID string to use when verifying an SM2 certificate. The ID string is
|
|
|
|
required by the SM2 signature algorithm for signing and verification.
|
|
|
|
|
2019-10-13 05:45:56 +08:00
|
|
|
=item B<-sm2-hex-id> I<hexstring>
|
2019-03-13 17:22:31 +08:00
|
|
|
|
|
|
|
Specify a binary ID string to use when signing or verifying using an SM2
|
|
|
|
certificate. The argument for this option is string of hexadecimal digits.
|
|
|
|
|
2019-10-13 05:45:56 +08:00
|
|
|
=item B<-verbose>
|
2019-10-25 11:02:09 +08:00
|
|
|
|
2019-10-13 05:45:56 +08:00
|
|
|
Print extra information about the operations being performed.
|
|
|
|
|
|
|
|
=item B<-trusted> I<file>
|
|
|
|
|
|
|
|
A file of trusted certificates.
|
|
|
|
|
|
|
|
=item B<-untrusted> I<file>
|
|
|
|
|
|
|
|
A file of untrusted certificates.
|
|
|
|
|
|
|
|
{- $OpenSSL::safe::opt_name_item -}
|
2019-10-25 11:02:09 +08:00
|
|
|
|
2019-10-13 05:45:56 +08:00
|
|
|
{- $OpenSSL::safe::opt_engine_item -}
|
|
|
|
To load certificates or CRLs that require engine support, specify the
|
|
|
|
B<-engine> option before any of the
|
|
|
|
B<-trusted>, B<-untrusted> or B<-CRLfile> options.
|
|
|
|
|
2019-10-13 05:45:56 +08:00
|
|
|
{- $OpenSSL::safe::opt_trust_item -}
|
|
|
|
|
|
|
|
{- $OpenSSL::safe::opt_v_item -}
|
|
|
|
|
2020-02-25 12:29:30 +08:00
|
|
|
{- $OpenSSL::safe::opt_provider_item -}
|
|
|
|
|
2019-10-02 23:13:03 +08:00
|
|
|
=item B<-->
|
1999-11-29 09:09:25 +08:00
|
|
|
|
2012-12-14 21:28:49 +08:00
|
|
|
Indicates the last option. All arguments following this are assumed to be
|
1999-11-30 10:28:42 +08:00
|
|
|
certificate files. This is useful if the first certificate filename begins
|
2019-10-13 05:45:56 +08:00
|
|
|
with a B<->.
|
1999-11-29 09:09:25 +08:00
|
|
|
|
2019-10-02 00:16:29 +08:00
|
|
|
=item I<certificate> ...
|
1999-11-29 09:09:25 +08:00
|
|
|
|
Command docs: fix up command references
Almost all OpenSSL commands are in reality 'openssl cmd', so make sure
they are refered to like that and not just as the sub-command.
Self-references are avoided as much as is possible, and replaced with
"this command". In some cases, we even avoid that with a slight
rewrite of the sentence or paragrah they were in. However, in the few
cases where a self-reference is still admissible, they are done in
bold, i.e. openssl-speed.pod references itself like this:
B<openssl speed>
References to other commands are done as manual links, i.e. CA.pl.pod
references 'openssl req' like this: L<openssl-req(1)>
Some commands are examples rather than references; we enclose those in
C<>.
While we are it, we abolish "utility", replacing it with "command", or
remove it entirely in some cases.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10065)
2019-10-02 01:43:36 +08:00
|
|
|
One or more certificates to verify. If no certificates are given,
|
|
|
|
this command will attempt to read a certificate from standard input.
|
|
|
|
Certificates must be in PEM format.
|
2019-10-13 05:45:56 +08:00
|
|
|
If a certificate chain has multiple problems, this program tries to
|
|
|
|
display all of them.
|
1999-11-29 09:09:25 +08:00
|
|
|
|
|
|
|
=back
|
|
|
|
|
1999-11-30 10:28:42 +08:00
|
|
|
=head1 DIAGNOSTICS
|
|
|
|
|
|
|
|
When a verify operation fails the output messages can be somewhat cryptic. The
|
|
|
|
general form of the error message is:
|
|
|
|
|
|
|
|
server.pem: /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit)
|
|
|
|
error 24 at 1 depth lookup:invalid CA certificate
|
|
|
|
|
|
|
|
The first line contains the name of the certificate being verified followed by
|
|
|
|
the subject name of the certificate. The second line contains the error number
|
|
|
|
and the depth. The depth is number of the certificate being verified when a
|
|
|
|
problem was detected starting with zero for the certificate being verified itself
|
|
|
|
then 1 for the CA that signed the certificate and so on. Finally a text version
|
|
|
|
of the error number is presented.
|
|
|
|
|
2019-10-13 05:45:56 +08:00
|
|
|
A list of the error codes and messages can be found in
|
|
|
|
L<X509_STORE_CTX_get_error(3)>; the full list is defined in the header file
|
2019-10-02 02:19:45 +08:00
|
|
|
F<< <openssl/x509_vfy.h> >>.
|
1999-11-30 10:28:42 +08:00
|
|
|
|
2019-10-13 05:45:56 +08:00
|
|
|
This command ignores many errors, in order to allow all the problems with a
|
|
|
|
certificate chain to be determined.
|
1999-11-29 09:09:25 +08:00
|
|
|
|
2000-09-08 08:53:58 +08:00
|
|
|
=head1 BUGS
|
|
|
|
|
2017-03-30 05:38:30 +08:00
|
|
|
Although the issuer checks are a considerable improvement over the old
|
|
|
|
technique they still suffer from limitations in the underlying X509_LOOKUP
|
|
|
|
API. One consequence of this is that trusted certificates with matching
|
|
|
|
subject name must either appear in a file (as specified by the B<-CAfile>
|
2019-03-07 22:26:34 +08:00
|
|
|
option), a directory (as specified by B<-CApath>), or a store (as specified
|
|
|
|
by B<-CAstore>). If they occur in more than one location then only the
|
|
|
|
certificates in the file will be recognised.
|
2000-09-08 08:53:58 +08:00
|
|
|
|
2017-03-30 05:38:30 +08:00
|
|
|
Previous versions of OpenSSL assume certificates with matching subject
|
|
|
|
name are identical and mishandled them.
|
2000-09-08 08:53:58 +08:00
|
|
|
|
2010-02-23 22:09:09 +08:00
|
|
|
Previous versions of this documentation swapped the meaning of the
|
|
|
|
B<X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT> and
|
2016-05-26 02:29:57 +08:00
|
|
|
B<X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY> error codes.
|
2010-02-23 22:09:09 +08:00
|
|
|
|
1999-11-29 09:09:25 +08:00
|
|
|
=head1 SEE ALSO
|
|
|
|
|
2019-08-22 07:04:41 +08:00
|
|
|
L<openssl(1)>,
|
2019-03-07 22:26:34 +08:00
|
|
|
L<openssl-x509(1)>,
|
|
|
|
L<ossl_store-file(7)>
|
1999-11-29 09:09:25 +08:00
|
|
|
|
2015-01-27 19:15:15 +08:00
|
|
|
=head1 HISTORY
|
|
|
|
|
2018-12-09 08:02:36 +08:00
|
|
|
The B<-show_chain> option was added in OpenSSL 1.1.0.
|
2016-02-10 03:17:13 +08:00
|
|
|
|
2019-07-15 21:03:44 +08:00
|
|
|
The B<-sm2-id> and B<-sm2-hex-id> options were added in OpenSSL 3.0.
|
2019-03-13 17:22:31 +08:00
|
|
|
|
2016-05-18 23:44:05 +08:00
|
|
|
=head1 COPYRIGHT
|
|
|
|
|
2019-03-13 17:22:31 +08:00
|
|
|
Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
|
2016-05-18 23:44:05 +08:00
|
|
|
|
2018-12-06 21:04:11 +08:00
|
|
|
Licensed under the Apache License 2.0 (the "License"). You may not use
|
2016-05-18 23:44:05 +08:00
|
|
|
this file except in compliance with the License. You can obtain a copy
|
|
|
|
in the file LICENSE in the source distribution or at
|
|
|
|
L<https://www.openssl.org/source/license.html>.
|
|
|
|
|
|
|
|
=cut
|