aboutsummaryrefslogtreecommitdiff
path: root/secure/usr.bin/openssl/man/verify.1
diff options
context:
space:
mode:
Diffstat (limited to 'secure/usr.bin/openssl/man/verify.1')
-rw-r--r--secure/usr.bin/openssl/man/verify.161
1 files changed, 38 insertions, 23 deletions
diff --git a/secure/usr.bin/openssl/man/verify.1 b/secure/usr.bin/openssl/man/verify.1
index fd4477bc55ea..a7ff1da6b11a 100644
--- a/secure/usr.bin/openssl/man/verify.1
+++ b/secure/usr.bin/openssl/man/verify.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -38,6 +38,8 @@
. ds PI \(*p
. ds L" ``
. ds R" ''
+. ds C`
+. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
-.ie \nF \{\
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
..
-. nr % 0
-. rr F
-.\}
-.el \{\
-. de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+. if \nF \{
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
..
+. if !\nF==2 \{
+. nr % 0
+. nr F 2
+. \}
+. \}
.\}
+.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
@@ -124,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "VERIFY 1"
-.TH VERIFY 1 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH VERIFY 1 "2015-01-15" "1.0.1l" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
@@ -152,6 +161,7 @@ verify \- Utility to verify certificates.
[\fB\-untrusted file\fR]
[\fB\-help\fR]
[\fB\-issuer_checks\fR]
+[\fB\-attime timestamp\fR]
[\fB\-verbose\fR]
[\fB\-\fR]
[certificates]
@@ -167,12 +177,12 @@ of the form: hash.0 or have symbolic links to them of this
form (\*(L"hash\*(R" is the hashed certificate subject name: see the \fB\-hash\fR option
of the \fBx509\fR utility). Under Unix the \fBc_rehash\fR script will automatically
create symbolic links to a directory of certificates.
-.IP "\fB\-CAfile file\fR" 4
-.IX Item "-CAfile file"
-A file of trusted certificates. The file should contain multiple certificates
-in \s-1PEM\s0 format concatenated together.
+.IP "\fB\-CAfile file\fR A file of trusted certificates. The file should contain multiple certificates in \s-1PEM\s0 format concatenated together." 4
+.IX Item "-CAfile file A file of trusted certificates. The file should contain multiple certificates in PEM format concatenated together."
+.PD 0
.IP "\fB\-untrusted file\fR" 4
.IX Item "-untrusted file"
+.PD
A file of untrusted certificates. The file should contain multiple certificates
in \s-1PEM\s0 format concatenated together.
.IP "\fB\-purpose purpose\fR" 4
@@ -180,7 +190,7 @@ in \s-1PEM\s0 format concatenated together.
The intended use for the certificate. If this option is not specified,
\&\fBverify\fR will not consider certificate purpose during chain verification.
Currently accepted uses are \fBsslclient\fR, \fBsslserver\fR, \fBnssslserver\fR,
-\&\fBsmimesign\fR, \fBsmimeencrypt\fR. See the \fB\s-1VERIFY\s0 \s-1OPERATION\s0\fR section for more
+\&\fBsmimesign\fR, \fBsmimeencrypt\fR. See the \fB\s-1VERIFY OPERATION\s0\fR section for more
information.
.IP "\fB\-help\fR" 4
.IX Item "-help"
@@ -195,6 +205,11 @@ current certificate. This shows why each candidate issuer certificate was
rejected. The presence of rejection messages does not itself imply that
anything is wrong; during the normal verification process, several
rejections may take place.
+.IP "\fB\-attime timestamp\fR" 4
+.IX Item "-attime timestamp"
+Perform validation checks using time specified by \fBtimestamp\fR and not
+current system time. \fBtimestamp\fR is the number of seconds since
+01.01.1970 (\s-1UNIX\s0 time).
.IP "\fB\-policy arg\fR" 4
.IX Item "-policy arg"
Enable policy processing and add \fBarg\fR to the user-initial-policy-set (see
@@ -217,7 +232,7 @@ Set policy variable inhibit-policy-mapping (see \s-1RFC5280\s0).
Print out diagnostics related to policy processing.
.IP "\fB\-crl_check\fR" 4
.IX Item "-crl_check"
-Checks end entity certificate validity by attempting to look up a valid \s-1CRL\s0.
+Checks end entity certificate validity by attempting to look up a valid \s-1CRL.\s0
If a valid \s-1CRL\s0 cannot be found an error occurs.
.IP "\fB\-crl_check_all\fR" 4
.IX Item "-crl_check_all"
@@ -241,7 +256,7 @@ signing keys.
Enable support for delta CRLs.
.IP "\fB\-check_ss_sig\fR" 4
.IX Item "-check_ss_sig"
-Verify the signature on the self-signed root \s-1CA\s0. This is disabled by default
+Verify the signature on the self-signed root \s-1CA.\s0 This is disabled by default
because it doesn't add any security.
.IP "\fB\-\fR" 4
.IX Item "-"
@@ -268,10 +283,10 @@ determined.
The verify operation consists of a number of separate steps.
.PP
Firstly a certificate chain is built up starting from the supplied certificate
-and ending in the root \s-1CA\s0. It is an error if the whole chain cannot be built
+and ending in the root \s-1CA.\s0 It is an error if the whole chain cannot be built
up. The chain is built up by looking up the issuers certificate of the current
certificate. If a certificate is found which is its own issuer it is assumed
-to be the root \s-1CA\s0.
+to be the root \s-1CA.\s0
.PP
The process of 'looking up the issuers certificate' itself involves a number
of steps. In versions of OpenSSL before 0.9.5a the first certificate whose
@@ -295,9 +310,9 @@ consistency with the supplied purpose. If the \fB\-purpose\fR option is not incl
then no checks are done. The supplied or \*(L"leaf\*(R" certificate must have extensions
compatible with the supplied purpose and all other certificates must also be valid
\&\s-1CA\s0 certificates. The precise extensions required are described in more detail in
-the \fB\s-1CERTIFICATE\s0 \s-1EXTENSIONS\s0\fR section of the \fBx509\fR utility.
+the \fB\s-1CERTIFICATE EXTENSIONS\s0\fR section of the \fBx509\fR utility.
.PP
-The third operation is to check the trust settings on the root \s-1CA\s0. The root
+The third operation is to check the trust settings on the root \s-1CA.\s0 The root
\&\s-1CA\s0 should be trusted for the supplied purpose. For compatibility with previous
versions of SSLeay and OpenSSL a certificate with no trust settings is considered
to be valid for all purposes.
@@ -447,8 +462,8 @@ does not permit certificate signing.
an application specific error. Unused.
.SH "BUGS"
.IX Header "BUGS"
-Although the issuer checks are a considerably improvement over the old technique they still
-suffer from limitations in the underlying X509_LOOKUP \s-1API\s0. One consequence of this is that
+Although the issuer checks are a considerable improvement over the old technique they still
+suffer from limitations in the underlying X509_LOOKUP \s-1API.\s0 One consequence of this is that
trusted certificates with matching subject name must either appear in a file (as specified by the
\&\fB\-CAfile\fR option) or a directory (as specified by \fB\-CApath\fR. If they occur in both then only
the certificates in the file will be recognised.
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-12 22:15:24 +0000