9 X509_verify_cert_error_string - get or set certificate verification status
30 These functions are typically called after certificate or chain verification
44 nonnegative integer representing where in the certificate chain the error
45 occurred. If it is zero it occurred in the end entity certificate, one if
46 it is the certificate which signed the end entity certificate and so on.
53 X509_STORE_CTX_get_current_cert() returns the current certificate in
54 I<ctx>. If an error occurred, the current certificate will be the one
56 certificate is relevant.
58 X509_STORE_CTX_set_current_cert() sets the certificate I<x> in I<ctx> which
65 If a callback wishes the save the certificate for use after it returns, it
67 Once such a I<saved> certificate is no longer needed it can be freed with
71 certificate being verified by the I<ctx>. It may be NULL if a raw public
90 X509_STORE_CTX_get_current_cert() returns the certificate which caused the
91 error or NULL if no certificate is relevant to the error.
108 =item B<X509_V_ERR_UNSPECIFIED: unspecified certificate verification error>
112 =item B<X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate>
114 The issuer certificate of a locally looked up certificate could not be found.
116 To allow any certificate (not only a self-signed one) in the trust store
119 =item B<X509_V_ERR_UNABLE_TO_GET_CRL: unable to get certificate CRL>
121 The CRL of a certificate could not be found.
124 unable to decrypt certificate's signature>
126 The certificate signature could not be decrypted. This means that the actual
140 The public key in the certificate C<SubjectPublicKeyInfo> field could
143 =item B<X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure>
145 The signature of the certificate is invalid.
151 =item B<X509_V_ERR_CERT_NOT_YET_VALID: certificate is not yet valid>
153 The certificate is not yet valid: the C<notBefore> date is after the
156 =item B<X509_V_ERR_CERT_HAS_EXPIRED: certificate has expired>
158 The certificate has expired: that is the C<notAfter> date is before the
170 format error in certificate's notBefore field>
172 The certificate C<notBefore> field contains an invalid time.
175 format error in certificate's notAfter field>
177 The certificate C<notAfter> field contains an invalid time.
193 =item B<X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self-signed certificate>
195 The passed certificate is self-signed and the same certificate cannot be found
199 self-signed certificate in certificate chain>
201 The certificate chain could be built up using the untrusted certificates
202 but no suitable trust anchor (which typically is a self-signed root certificate)
206 unable to get local issuer certificate>
208 The issuer certificate could not be found: this occurs if the issuer certificate
209 of an untrusted certificate cannot be found.
212 unable to verify the first certificate>
214 No signatures could be verified because the chain contains only one certificate
217 =item B<X509_V_ERR_CERT_CHAIN_TOO_LONG: certificate chain too long>
219 The certificate chain length is greater than the supplied maximum depth.
221 =item B<X509_V_ERR_CERT_REVOKED: certificate revoked>
223 The certificate has been revoked.
226  issuer certificate doesn't have a public key>
228 The issuer certificate does not have a public key.
234 =item B<X509_V_ERR_INVALID_PURPOSE: unsuitable certificate purpose>
236 The target certificate cannot be used for the specified purpose.
238 =item B<X509_V_ERR_CERT_UNTRUSTED: certificate not trusted>
242 =item B<X509_V_ERR_CERT_REJECTED: certificate rejected>
248 The current candidate issuer certificate was rejected because its subject name
249 did not match the issuer name of the current certificate.
254 The current candidate issuer certificate was rejected because its subject key
256 certificate.
261 The current candidate issuer certificate was rejected because its issuer name
263 the current certificate.
266 key usage does not include certificate signing>
268 The current candidate issuer certificate was rejected because its C<keyUsage>
269 extension does not permit certificate signing.
272 unable to get CRL issuer certificate>
274 Unable to get CRL issuer certificate.
288 =item B<X509_V_ERR_INVALID_NON_CA: invalid non-CA certificate (has CA markings)>
290 Invalid non-CA certificate has CA markings.
310 invalid or inconsistent certificate extension>
312 A certificate extension had an invalid value (for example an incorrect
316 invalid or inconsistent certificate policy extension>
318 A certificate policies extension had an invalid value (for example an incorrect
329 The only CRLs that could be found did not match the scope of the certificate.
333 Some feature of a certificate extension is not supported. Unused.
350 A certificate name constraints extension included a minimum or maximum field:
399 certificate chain.
402 =item B<X509_V_ERR_EE_KEY_TOO_SMALL: EE certificate key too weak>
404 EE certificate key too weak.
406 =item B<X509_V_ERR_CA_KEY_TOO_SMALL: CA certificate key too weak>
408 CA certificate key too weak.
414 =item B<X509_V_ERR_INVALID_CALL: invalid certificate verification context>
416 Invalid certificate verification context.
418 =item B<X509_V_ERR_STORE_LOOKUP: issuer certificate lookup error>
420 Issuer certificate lookup error.
422 =item B<X509_V_ERR_NO_VALID_SCTS: certificate transparency required, but no valid SCTs found>
440 Returned by the verify callback to indicate that the certificate is not
446 Cannot find certificate signature algorithm.
452 the subject's certificate.
457 The algorithm given in the certificate info is inconsistent
458  with the one used for the certificate signature.
460 =item B<X509_V_ERR_INVALID_CA: invalid CA certificate>
462 A CA certificate is invalid. Either it is not a CA or its extensions are not
477 In versions of OpenSSL before 1.0 the current certificate returned by
480 to the current certificate.

Last Index update Fri Nov 29 22:08:30 UTC 2024

Dedicated to & Maintained by Room-11