diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in index 8f483309ea..59be1e8cb5 100644 --- a/doc/man1/openssl-cmp.pod.in +++ b/doc/man1/openssl-cmp.pod.in @@ -35,9 +35,6 @@ Certificate enrollment options: [B<-popo> I] [B<-csr> I] [B<-out_trusted> I] -[B<-verify_hostname> I] -[B<-verify_ip> I] -[B<-verify_email> I] [B<-implicit_confirm>] [B<-disable_confirm>] [B<-certout> I] @@ -140,33 +137,7 @@ Mock server options: Certificate verification options, for both CMP and TLS: -[B<-policy> I] -[B<-purpose> I] -[B<-verify_name> I] -[B<-verify_depth> I] -[B<-auth_level> I] -[B<-attime> I] -[B<-ignore_critical>] -[B<-issuer_checks>] -[B<-policy_check>] -[B<-explicit_policy>] -[B<-inhibit_any>] -[B<-inhibit_map>] -[B<-x509_strict>] -[B<-extended_crl>] -[B<-use_deltas>] -[B<-policy_print>] -[B<-check_ss_sig>] -[B<-crl_check>] -[B<-crl_check_all>] -[B<-trusted_first>] -[B<-suiteB_128_only>] -[B<-suiteB_128>] -[B<-suiteB_192>] -[B<-partial_chain>] -[B<-no_alt_chains>] -[B<-no_check_time>] -[B<-allow_proxy_certs>] +{- $OpenSSL::safe::opt_v_synopsis -} =head1 DESCRIPTION @@ -378,23 +349,9 @@ Multiple filenames may be given, separated by commas and/or whitespace (where in the latter case the whole argument must be enclosed in "..."). Each source may contain multiple certificates. -=item B<-verify_hostname> I - -When verification of the newly enrolled certificate is enabled (with the -B<-out_trusted> option), check if any DNS Subject Alternative Name (or if no -DNS SAN is included, the Common Name in the subject) equals the given B. - -=item B<-verify_ip> I - -When verification of the newly enrolled certificate is enabled (with the -B<-out_trusted> option), check if there is -an IP address Subject Alternative Name matching the given IP address. - -=item B<-verify_email> I - -When verification of the newly enrolled certificate is enabled (with the -B<-out_trusted> option), check if there is -an email address Subject Alternative Name matching the given email address. +The certificate verification options +B<-verify_hostname>, B<-verify_ip>, and B<-verify_email> +only affect the certificate verification enabled via this option. =item B<-implicit_confirm> @@ -511,7 +468,7 @@ When verifying signature-based protection of CMP response messages, these are the CA certificate(s) to trust while checking certificate chains during CMP server authentication. This option gives more flexibility than the B<-srvcert> option because the -protection certificate is not pinned but may be any certificate +server-side CMP signer certificate is not pinned but may be any certificate for which a chain to one of the given trusted certificates can be constructed. If no B<-trusted>, B<-srvcert>, and B<-secret> option is given @@ -521,6 +478,10 @@ Multiple filenames may be given, separated by commas and/or whitespace (where in the latter case the whole argument must be enclosed in "..."). Each source may contain multiple certificates. +The certificate verification options +B<-verify_hostname>, B<-verify_ip>, and B<-verify_email> +have no effect on the certificate verification enabled via this option. + =item B<-untrusted> I Non-trusted intermediate CA certificate(s). @@ -666,13 +627,17 @@ is included in the extraCerts field in signature-protected request messages. =item B<-own_trusted> I If this list of certificates is provided then the chain built for -the CMP signer certificate given with the B<-cert> option is verified -using the given certificates as trust anchors. +the client-side CMP signer certificate given with the B<-cert> option +is verified using the given certificates as trust anchors. Multiple filenames may be given, separated by commas and/or whitespace (where in the latter case the whole argument must be enclosed in "..."). Each source may contain multiple certificates. +The certificate verification options +B<-verify_hostname>, B<-verify_ip>, and B<-verify_email> +have no effect on the certificate verification enabled via this option. + =item B<-key> I The corresponding private key file for the client's current certificate given in @@ -808,6 +773,10 @@ Multiple filenames may be given, separated by commas and/or whitespace (where in the latter case the whole argument must be enclosed in "..."). Each source may contain multiple certificates. +The certificate verification options +B<-verify_hostname>, B<-verify_ip>, and B<-verify_email> +have no effect on the certificate verification enabled via this option. + =item B<-tls_host> I Address to be checked during hostname validation. @@ -913,6 +882,10 @@ Server private key (and cert) file pass phrase source. Trusted certificates for client authentication. +The certificate verification options +B<-verify_hostname>, B<-verify_ip>, and B<-verify_email> +have no effect on the certificate verification enabled via this option. + =item B<-srv_untrusted> I Intermediate CA certs that may be useful when verifying client certificates. @@ -991,21 +964,11 @@ Accept RAVERIFED as proof-of-possession (POPO). =over 4 -=item B<-policy>, B<-purpose>, B<-verify_name>, B<-verify_depth>, -B<-attime>, -B<-ignore_critical>, B<-issuer_checks>, -B<-policy_check>, -B<-explicit_policy>, B<-inhibit_any>, B<-inhibit_map>, -B<-x509_strict>, B<-extended_crl>, B<-use_deltas>, -B<-policy_print>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>, -B<-trusted_first>, -B<-suiteB_128_only>, B<-suiteB_128>, B<-suiteB_192>, -B<-partial_chain>, B<-no_alt_chains>, B<-no_check_time>, -B<-auth_level>, -B<-allow_proxy_certs> +{- $OpenSSL::safe::opt_v_item -} -Set various options of certificate chain verification. -See L for details. +The certificate verification options +B<-verify_hostname>, B<-verify_ip>, and B<-verify_email> +only affect the certificate verification enabled via the B<-out_trusted> option. =back