OLD | NEW |
1 =pod | 1 =pod |
2 | 2 |
3 =head1 NAME | 3 =head1 NAME |
4 | 4 |
5 verify - Utility to verify certificates. | 5 verify - Utility to verify certificates. |
6 | 6 |
7 =head1 SYNOPSIS | 7 =head1 SYNOPSIS |
8 | 8 |
9 B<openssl> B<verify> | 9 B<openssl> B<verify> |
10 [B<-CApath directory>] | 10 [B<-CApath directory>] |
11 [B<-CAfile file>] | 11 [B<-CAfile file>] |
12 [B<-purpose purpose>] | 12 [B<-purpose purpose>] |
| 13 [B<-policy arg>] |
| 14 [B<-ignore_critical>] |
| 15 [B<-crl_check>] |
| 16 [B<-crl_check_all>] |
| 17 [B<-policy_check>] |
| 18 [B<-explicit_policy>] |
| 19 [B<-inhibit_any>] |
| 20 [B<-inhibit_map>] |
| 21 [B<-x509_strict>] |
| 22 [B<-extended_crl>] |
| 23 [B<-use_deltas>] |
| 24 [B<-policy_print>] |
13 [B<-untrusted file>] | 25 [B<-untrusted file>] |
14 [B<-help>] | 26 [B<-help>] |
15 [B<-issuer_checks>] | 27 [B<-issuer_checks>] |
16 [B<-verbose>] | 28 [B<-verbose>] |
17 [B<->] | 29 [B<->] |
18 [certificates] | 30 [certificates] |
19 | 31 |
20 | 32 |
21 =head1 DESCRIPTION | 33 =head1 DESCRIPTION |
22 | 34 |
(...skipping 36 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
59 print extra information about the operations being performed. | 71 print extra information about the operations being performed. |
60 | 72 |
61 =item B<-issuer_checks> | 73 =item B<-issuer_checks> |
62 | 74 |
63 print out diagnostics relating to searches for the issuer certificate | 75 print out diagnostics relating to searches for the issuer certificate |
64 of the current certificate. This shows why each candidate issuer | 76 of the current certificate. This shows why each candidate issuer |
65 certificate was rejected. However the presence of rejection messages | 77 certificate was rejected. However the presence of rejection messages |
66 does not itself imply that anything is wrong: during the normal | 78 does not itself imply that anything is wrong: during the normal |
67 verify process several rejections may take place. | 79 verify process several rejections may take place. |
68 | 80 |
| 81 =item B<-policy arg> |
| 82 |
| 83 Enable policy processing and add B<arg> to the user-initial-policy-set |
| 84 (see RFC3280 et al). The policy B<arg> can be an object name an OID in numeric |
| 85 form. This argument can appear more than once. |
| 86 |
| 87 =item B<-policy_check> |
| 88 |
| 89 Enables certificate policy processing. |
| 90 |
| 91 =item B<-explicit_policy> |
| 92 |
| 93 Set policy variable require-explicit-policy (see RFC3280 et al). |
| 94 |
| 95 =item B<-inhibit_any> |
| 96 |
| 97 Set policy variable inhibit-any-policy (see RFC3280 et al). |
| 98 |
| 99 =item B<-inhibit_map> |
| 100 |
| 101 Set policy variable inhibit-policy-mapping (see RFC3280 et al). |
| 102 |
| 103 =item B<-policy_print> |
| 104 |
| 105 Print out diagnostics, related to policy checking |
| 106 |
| 107 =item B<-crl_check> |
| 108 |
| 109 Checks end entity certificate validity by attempting to lookup a valid CRL. |
| 110 If a valid CRL cannot be found an error occurs. |
| 111 |
| 112 =item B<-crl_check_all> |
| 113 |
| 114 Checks the validity of B<all> certificates in the chain by attempting |
| 115 to lookup valid CRLs. |
| 116 |
| 117 =item B<-ignore_critical> |
| 118 |
| 119 Normally if an unhandled critical extension is present which is not |
| 120 supported by OpenSSL the certificate is rejected (as required by |
| 121 RFC3280 et al). If this option is set critical extensions are |
| 122 ignored. |
| 123 |
| 124 =item B<-x509_strict> |
| 125 |
| 126 Disable workarounds for broken certificates which have to be disabled |
| 127 for strict X.509 compliance. |
| 128 |
| 129 =item B<-extended_crl> |
| 130 |
| 131 Enable extended CRL features such as indirect CRLs and alternate CRL |
| 132 signing keys. |
| 133 |
| 134 =item B<-use_deltas> |
| 135 |
| 136 Enable support for delta CRLs. |
| 137 |
69 =item B<-check_ss_sig> | 138 =item B<-check_ss_sig> |
70 | 139 |
71 Verify the signature on the self-signed root CA. This is disabled by default | 140 Verify the signature on the self-signed root CA. This is disabled by default |
72 because it doesn't add any security. | 141 because it doesn't add any security. |
73 | 142 |
74 =item B<-> | 143 =item B<-> |
75 | 144 |
76 marks the last option. All arguments following this are assumed to be | 145 marks the last option. All arguments following this are assumed to be |
77 certificate files. This is useful if the first certificate filename begins | 146 certificate files. This is useful if the first certificate filename begins |
78 with a B<->. | 147 with a B<->. |
(...skipping 90 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
169 | 238 |
170 the operation was successful. | 239 the operation was successful. |
171 | 240 |
172 =item B<2 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate
> | 241 =item B<2 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate
> |
173 | 242 |
174 the issuer certificate of a looked up certificate could not be found. This | 243 the issuer certificate of a looked up certificate could not be found. This |
175 normally means the list of trusted certificates is not complete. | 244 normally means the list of trusted certificates is not complete. |
176 | 245 |
177 =item B<3 X509_V_ERR_UNABLE_TO_GET_CRL: unable to get certificate CRL> | 246 =item B<3 X509_V_ERR_UNABLE_TO_GET_CRL: unable to get certificate CRL> |
178 | 247 |
179 the CRL of a certificate could not be found. Unused. | 248 the CRL of a certificate could not be found. |
180 | 249 |
181 =item B<4 X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: unable to decrypt certifi
cate's signature> | 250 =item B<4 X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: unable to decrypt certifi
cate's signature> |
182 | 251 |
183 the certificate signature could not be decrypted. This means that the actual sig
nature value | 252 the certificate signature could not be decrypted. This means that the actual sig
nature value |
184 could not be determined rather than it not matching the expected value, this is
only | 253 could not be determined rather than it not matching the expected value, this is
only |
185 meaningful for RSA keys. | 254 meaningful for RSA keys. |
186 | 255 |
187 =item B<5 X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt CRL's si
gnature> | 256 =item B<5 X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt CRL's si
gnature> |
188 | 257 |
189 the CRL signature could not be decrypted: this means that the actual signature v
alue | 258 the CRL signature could not be decrypted: this means that the actual signature v
alue |
190 could not be determined rather than it not matching the expected value. Unused. | 259 could not be determined rather than it not matching the expected value. Unused. |
191 | 260 |
192 =item B<6 X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: unable to decode issuer
public key> | 261 =item B<6 X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: unable to decode issuer
public key> |
193 | 262 |
194 the public key in the certificate SubjectPublicKeyInfo could not be read. | 263 the public key in the certificate SubjectPublicKeyInfo could not be read. |
195 | 264 |
196 =item B<7 X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure> | 265 =item B<7 X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure> |
197 | 266 |
198 the signature of the certificate is invalid. | 267 the signature of the certificate is invalid. |
199 | 268 |
200 =item B<8 X509_V_ERR_CRL_SIGNATURE_FAILURE: CRL signature failure> | 269 =item B<8 X509_V_ERR_CRL_SIGNATURE_FAILURE: CRL signature failure> |
201 | 270 |
202 the signature of the certificate is invalid. Unused. | 271 the signature of the certificate is invalid. |
203 | 272 |
204 =item B<9 X509_V_ERR_CERT_NOT_YET_VALID: certificate is not yet valid> | 273 =item B<9 X509_V_ERR_CERT_NOT_YET_VALID: certificate is not yet valid> |
205 | 274 |
206 the certificate is not yet valid: the notBefore date is after the current time. | 275 the certificate is not yet valid: the notBefore date is after the current time. |
207 | 276 |
208 =item B<10 X509_V_ERR_CERT_HAS_EXPIRED: certificate has expired> | 277 =item B<10 X509_V_ERR_CERT_HAS_EXPIRED: certificate has expired> |
209 | 278 |
210 the certificate has expired: that is the notAfter date is before the current tim
e. | 279 the certificate has expired: that is the notAfter date is before the current tim
e. |
211 | 280 |
212 =item B<11 X509_V_ERR_CRL_NOT_YET_VALID: CRL is not yet valid> | 281 =item B<11 X509_V_ERR_CRL_NOT_YET_VALID: CRL is not yet valid> |
213 | 282 |
214 the CRL is not yet valid. Unused. | 283 the CRL is not yet valid. |
215 | 284 |
216 =item B<12 X509_V_ERR_CRL_HAS_EXPIRED: CRL has expired> | 285 =item B<12 X509_V_ERR_CRL_HAS_EXPIRED: CRL has expired> |
217 | 286 |
218 the CRL has expired. Unused. | 287 the CRL has expired. |
219 | 288 |
220 =item B<13 X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: format error in certificat
e's notBefore field> | 289 =item B<13 X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: format error in certificat
e's notBefore field> |
221 | 290 |
222 the certificate notBefore field contains an invalid time. | 291 the certificate notBefore field contains an invalid time. |
223 | 292 |
224 =item B<14 X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: format error in certificate
's notAfter field> | 293 =item B<14 X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: format error in certificate
's notAfter field> |
225 | 294 |
226 the certificate notAfter field contains an invalid time. | 295 the certificate notAfter field contains an invalid time. |
227 | 296 |
228 =item B<15 X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error in CRL's last
Update field> | 297 =item B<15 X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error in CRL's last
Update field> |
229 | 298 |
230 the CRL lastUpdate field contains an invalid time. Unused. | 299 the CRL lastUpdate field contains an invalid time. |
231 | 300 |
232 =item B<16 X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: format error in CRL's next
Update field> | 301 =item B<16 X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: format error in CRL's next
Update field> |
233 | 302 |
234 the CRL nextUpdate field contains an invalid time. Unused. | 303 the CRL nextUpdate field contains an invalid time. |
235 | 304 |
236 =item B<17 X509_V_ERR_OUT_OF_MEM: out of memory> | 305 =item B<17 X509_V_ERR_OUT_OF_MEM: out of memory> |
237 | 306 |
238 an error occurred trying to allocate memory. This should never happen. | 307 an error occurred trying to allocate memory. This should never happen. |
239 | 308 |
240 =item B<18 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate> | 309 =item B<18 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate> |
241 | 310 |
242 the passed certificate is self signed and the same certificate cannot be found i
n the list of | 311 the passed certificate is self signed and the same certificate cannot be found i
n the list of |
243 trusted certificates. | 312 trusted certificates. |
244 | 313 |
(...skipping 11 matching lines...) Expand all Loading... |
256 | 325 |
257 no signatures could be verified because the chain contains only one certificate
and it is not | 326 no signatures could be verified because the chain contains only one certificate
and it is not |
258 self signed. | 327 self signed. |
259 | 328 |
260 =item B<22 X509_V_ERR_CERT_CHAIN_TOO_LONG: certificate chain too long> | 329 =item B<22 X509_V_ERR_CERT_CHAIN_TOO_LONG: certificate chain too long> |
261 | 330 |
262 the certificate chain length is greater than the supplied maximum depth. Unused. | 331 the certificate chain length is greater than the supplied maximum depth. Unused. |
263 | 332 |
264 =item B<23 X509_V_ERR_CERT_REVOKED: certificate revoked> | 333 =item B<23 X509_V_ERR_CERT_REVOKED: certificate revoked> |
265 | 334 |
266 the certificate has been revoked. Unused. | 335 the certificate has been revoked. |
267 | 336 |
268 =item B<24 X509_V_ERR_INVALID_CA: invalid CA certificate> | 337 =item B<24 X509_V_ERR_INVALID_CA: invalid CA certificate> |
269 | 338 |
270 a CA certificate is invalid. Either it is not a CA or its extensions are not con
sistent | 339 a CA certificate is invalid. Either it is not a CA or its extensions are not con
sistent |
271 with the supplied purpose. | 340 with the supplied purpose. |
272 | 341 |
273 =item B<25 X509_V_ERR_PATH_LENGTH_EXCEEDED: path length constraint exceeded> | 342 =item B<25 X509_V_ERR_PATH_LENGTH_EXCEEDED: path length constraint exceeded> |
274 | 343 |
275 the basicConstraints pathlength parameter has been exceeded. | 344 the basicConstraints pathlength parameter has been exceeded. |
276 | 345 |
(...skipping 51 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
328 | 397 |
329 Previous versions of this documentation swapped the meaning of the | 398 Previous versions of this documentation swapped the meaning of the |
330 B<X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT> and | 399 B<X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT> and |
331 B<20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY> error codes. | 400 B<20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY> error codes. |
332 | 401 |
333 =head1 SEE ALSO | 402 =head1 SEE ALSO |
334 | 403 |
335 L<x509(1)|x509(1)> | 404 L<x509(1)|x509(1)> |
336 | 405 |
337 =cut | 406 =cut |
OLD | NEW |