mirror of
https://github.com/openssl/openssl.git
synced 2024-11-27 05:21:51 +08:00
e53ad1d8f2
No longer needed after rewrite of cmd-nits Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15311)
168 lines
4.9 KiB
Plaintext
168 lines
4.9 KiB
Plaintext
=pod
|
|
{- OpenSSL::safe::output_do_not_edit_headers(); -}
|
|
|
|
=head1 NAME
|
|
|
|
openssl-verify - certificate verification command
|
|
|
|
=head1 SYNOPSIS
|
|
|
|
B<openssl> B<verify>
|
|
[B<-help>]
|
|
[B<-CRLfile> I<file>]
|
|
[B<-crl_download>]
|
|
[B<-show_chain>]
|
|
[B<-verbose>]
|
|
[B<-trusted> I<file>]
|
|
[B<-untrusted> I<file>]
|
|
[B<-vfyopt> I<nm>:I<v>]
|
|
{- $OpenSSL::safe::opt_name_synopsis -}
|
|
{- $OpenSSL::safe::opt_trust_synopsis -}
|
|
{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_v_synopsis -}
|
|
{- $OpenSSL::safe::opt_provider_synopsis -}
|
|
[B<-->]
|
|
[I<certificate> ...]
|
|
|
|
=head1 DESCRIPTION
|
|
|
|
This command verifies certificate chains. If a certificate chain has multiple
|
|
problems, this program attempts to display all of them.
|
|
|
|
=head1 OPTIONS
|
|
|
|
=over 4
|
|
|
|
=item B<-help>
|
|
|
|
Print out a usage message.
|
|
|
|
=item B<-CRLfile> I<file>
|
|
|
|
The file or URI should contain one or more CRLs in PEM or DER format.
|
|
This option can be specified more than once to include CRLs from multiple
|
|
I<file>s.
|
|
|
|
=item B<-crl_download>
|
|
|
|
Attempt to download CRL information for certificates via their CDP entries.
|
|
|
|
=item B<-show_chain>
|
|
|
|
Display information about the certificate chain that has been built (if
|
|
successful). Certificates in the chain that came from the untrusted list will be
|
|
flagged as "untrusted".
|
|
|
|
=item B<-verbose>
|
|
|
|
Print extra information about the operations being performed.
|
|
|
|
=item B<-trusted> I<file>
|
|
|
|
A file or URI of trusted certificates in PEM, DER, or PKCS#12 format.
|
|
This option can be specified more than once to load certificates from multiple
|
|
I<file>s.
|
|
|
|
=item B<-untrusted> I<file>
|
|
|
|
A file or URI of untrusted certificates in PEM, DER, or PKCS#12 format
|
|
to use for chain building.
|
|
This option can be specified more than once to load certificates from multiple
|
|
I<file>s.
|
|
|
|
|
|
=item B<-vfyopt> I<nm>:I<v>
|
|
|
|
Pass options to the signature algorithm during verify operations.
|
|
Names and values of these options are algorithm-specific.
|
|
|
|
{- $OpenSSL::safe::opt_name_item -}
|
|
|
|
{- $OpenSSL::safe::opt_engine_item -}
|
|
{- output_off() if $disabled{"deprecated-3.0"}; "" -}
|
|
To load certificates or CRLs that require engine support, specify the
|
|
B<-engine> option before any of the
|
|
B<-trusted>, B<-untrusted> or B<-CRLfile> options.
|
|
{- output_on() if $disabled{"deprecated-3.0"}; "" -}
|
|
|
|
{- $OpenSSL::safe::opt_trust_item -}
|
|
|
|
{- $OpenSSL::safe::opt_v_item -}
|
|
|
|
{- $OpenSSL::safe::opt_provider_item -}
|
|
|
|
=item B<-->
|
|
|
|
Indicates the last option. All arguments following this are assumed to be
|
|
certificate files. This is useful if the first certificate filename begins
|
|
with a B<->.
|
|
|
|
=item I<certificate> ...
|
|
|
|
One or more target certificates to verify, one per file. If no certificates are
|
|
given, this command will attempt to read a single certificate from standard
|
|
input.
|
|
|
|
=back
|
|
|
|
=head1 DIAGNOSTICS
|
|
|
|
When a verify operation fails the output messages can be somewhat cryptic. The
|
|
general form of the error message is:
|
|
|
|
server.pem: /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit)
|
|
error 24 at 1 depth lookup:invalid CA certificate
|
|
|
|
The first line contains the name of the certificate being verified followed by
|
|
the subject name of the certificate. The second line contains the error number
|
|
and the depth. The depth is number of the certificate being verified when a
|
|
problem was detected starting with zero for the target ("leaf") certificate
|
|
itself then 1 for the CA that signed the target certificate and so on.
|
|
Finally a textual version of the error number is presented.
|
|
|
|
A list of the error codes and messages can be found in
|
|
L<X509_STORE_CTX_get_error(3)>; the full list is defined in the header file
|
|
F<< <openssl/x509_vfy.h> >>.
|
|
|
|
This command ignores many errors, in order to allow all the problems with a
|
|
certificate chain to be determined.
|
|
|
|
=head1 BUGS
|
|
|
|
Although the issuer checks are a considerable improvement over the old
|
|
technique they still suffer from limitations in the underlying X509_LOOKUP
|
|
API. One consequence of this is that trusted certificates with matching
|
|
subject name must either appear in a file (as specified by the B<-CAfile>
|
|
option), a directory (as specified by B<-CApath>), or a store (as specified
|
|
by B<-CAstore>). If they occur in more than one location then only the
|
|
certificates in the file will be recognised.
|
|
|
|
Previous versions of OpenSSL assume certificates with matching subject
|
|
name are identical and mishandled them.
|
|
|
|
Previous versions of this documentation swapped the meaning of the
|
|
B<X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT> and
|
|
B<X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY> error codes.
|
|
|
|
=head1 SEE ALSO
|
|
|
|
L<openssl-verification-options(1)>,
|
|
L<openssl-x509(1)>,
|
|
L<ossl_store-file(7)>
|
|
|
|
=head1 HISTORY
|
|
|
|
The B<-show_chain> option was added in OpenSSL 1.1.0.
|
|
|
|
The B<-engine option> was deprecated in OpenSSL 3.0.
|
|
|
|
=head1 COPYRIGHT
|
|
|
|
Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
|
|
|
|
Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
this file except in compliance with the License. You can obtain a copy
|
|
in the file LICENSE in the source distribution or at
|
|
L<https://www.openssl.org/source/license.html>.
|
|
|
|
=cut
|