5 openssl-verification-options - generic X.509 certificate verification options
25 starting from the I<target certificate> that is to be verified
26 and ending in a certificate that due to some policy is trusted.
28 of the target certificate, such as SSL server, or by default for any purpose.
56 or Apple's and Microsoft's certificate stores, ...
58 From the OpenSSL perspective, a trust anchor is a certificate
60 uses of a target certificate the certificate may serve as a trust anchor.
78 A certificate, which may be CA certificate or an end-entity certificate,
103 First, a certificate chain is built up starting from the target certificate
107 a certificate with suitable key usage that
108 matches as an issuer of the current "subject" certificate as described below.
109 If there is such a certificate, the first one found that is currently valid
114 When a self-signed certificate has been added, chain construction stops.
117 A candidate issuer certificate matches a subject certificate
124 Its subject name matches the issuer name of the subject certificate.
128 If the subject certificate has an authority key identifier extension,
130 number, and issuer field of the candidate issuer certificate,
135 The certificate signature algorithm used to sign the subject certificate
137 equals the public key algorithm of the candidate issuer certificate.
147 When the certificate chain building process was successful
150 The first step is to check that each certificate is well-formed.
153 The second step is to check the extensions of every untrusted certificate
158 The target or "leaf" certificate, as well as any other untrusted certificates,
164 The third step is to check the trust settings on the last certificate
165 (which typically is a self-signed root CA certificate).
167 For compatibility with previous versions of OpenSSL, a self-signed certificate
170 The fourth, and final, step is to check the validity of the certificate chain.
171 For each element in the chain, including the root CA certificate,
175 The certificate signature is checked as well
176 (except for the signature of the typically self-signed root CA certificate,
178 When verifying a certificate signature
179 the keyUsage extension (if present) of the candidate issuer certificate
182 If all operations complete successfully then certificate is considered
183 valid. If any operation fails then the certificate is not valid.
205 Load the specified file which contains a trusted certificate in DER format
218 certificate. This is so that the library can extract the IssuerName,
219 hash it, and directly lookup the file to get the issuer certificate.
229 The URI may indicate a single certificate, as well as a collection of them.
235 These certificates are also used when building the server certificate
236 chain (for example with L<openssl-s_server(1)>) or client certificate
247 The certificate verification can be fine-tuned with the following flags.
273 among others, the following certificate well-formedness conditions are checked:
295 The issuer name of any certificate must not be empty.
329 supported by OpenSSL the certificate is rejected (as required by RFC5280).
338 Checks end entity certificate validity by attempting to look up a valid CRL.
365 Set the certificate chain authentication security level to I<level>.
367 public key strength when verifying certificate chains.  For a certificate
382 That is, a chain ending in a certificate that normally would not be trusted
385 This certificate may be self-issued or belong to an intermediate CA.
390 the last certificate in a chain if the certificate is supposedly self-signed.
392 certificate with key usage restrictions not including the keyCertSign bit.
403 When constructing the certificate chain, the trusted certificates specified
427 construct a certificate chain from the target certificate to a trust anchor.
442 Enables certificate policy processing.
458 The intended use for the certificate.
462 If peer certificate verification is enabled, by default the TLS implementation
472 Limit the certificate chain to I<num> intermediate CA certificates.
474 end-entity certificate nor the trust-anchor certificate count against the
485 Common Name in the subject certificate.
490 the subject certificate.
494 Use default verification policies like trust model and required certificate
497 to verifying the given certificate chain.
512 Sometimes there may be more than one certificate chain leading to an
513 end-entity certificate.
514 This usually happens when a root or intermediate CA signs a certificate
526 Specify an extra certificate, private key and certificate chain. These behave
533 Specify whether the application should build the certificate chain to be
539 The input format for the extra certificate.
551 Options like B<-purpose> lead to checking the certificate extensions,
552 which determine what the target certificate and intermediate CA certificates
558 certificate can be used as a CA. If the CA flag is true then it is a CA,
563 which includes the case that it is an X.509v1 certificate,
564 then the certificate is considered to be a "possible CA" and
565 other extensions are checked according to the intended use of the certificate.
572 made on the uses of the certificate. A CA certificate B<must> have the
578 certificate uses. If this extension is present (whether critical or not)
592 digitalSignature bit set.  The Netscape certificate type must be absent
599 The Netscape certificate type must be absent or it must have the SSL CA bit set.
608 The Netscape certificate type must be absent or have the SSL server bit set.
613 authentication" and/or one of the SGC OIDs.  The Netscape certificate type must
627 protection" OID.  The Netscape certificate type must be absent or should have the
628 S/MIME bit set. If the S/MIME bit is not set in the Netscape certificate type
645 protection" OID.  The Netscape certificate type must be absent or must have the

Last Index update Fri Nov 29 22:08:30 UTC 2024

Dedicated to & Maintained by Room-11