| /openssl/doc/man3/ |
| H A D | X509_STORE_CTX_get_error.pod | 46 it is the certificate which signed the end entity certificate and so on.
56 certificate is relevant.
114 The issuer certificate of a locally looked up certificate could not be found.
195 The passed certificate is self-signed and the same certificate cannot be found
199 self-signed certificate in certificate chain>
208 The issuer certificate could not be found: this occurs if the issuer certificate
256 certificate.
263 the current certificate.
399 certificate chain.
452 the subject's certificate.
[all …]
|
| H A D | SSL_CTX_set_client_cert_cb.pod | 20 called when a client certificate is requested by a server and no certificate
29 set a certificate, a certificate/private key combination must be set
32 If no certificate should be set, "0" has to be returned and no certificate
42 During a handshake (or renegotiation) a server may request a certificate
46 When a certificate was set using the
57 If the callback function returns a certificate, the OpenSSL library
58 will try to load the private key and certificate data into the SSL
60 Thus it will permanently install the certificate and key for this SSL
63 a certificate.
79 certificate store for the SSL_CTX object (resulting in having to add
[all …]
|
| H A D | X509_check_ca.pod | 5 X509_check_ca - check if given certificate is CA certificate
15 This function checks if given certificate is CA certificate (can be used
16 to sign other certificates). The certificate must be a complete certificate
21 Function return 0, if it is not CA certificate, 1 if it is proper X509v3
22 CA certificate with B<basicConstraints> extension CA:TRUE,
23 3, if it is self-signed X509 v1 certificate, 4, if it is certificate with
26 extension telling that it is CA certificate.
30 Actually, any nonzero value means that this certificate could have been
|
| H A D | SSL_get_certificate.pod | 5 SSL_get_certificate, SSL_get_privatekey - retrieve TLS/SSL certificate and
18 certificate used as the local peer's identity.
21 RSA and ECDSA certificates. The certificate which is returned by
28 If it is called before certificate selection has occurred, it returns the most
29 recently added certificate, or NULL if no certificate has been added.
33 After certificate selection has occurred, it returns the certificate which was
34 selected during the handshake, or NULL if no certificate was selected (for
35 example, on a client where no client certificate is in use).
41 will depend on whether that callback is made before or after certificate
45 L<SSL_CTX_set_tlsext_status_cb(3)>. This callback occurs after certificate
[all …]
|
| H A D | SSL_CTX_use_certificate.pod | 16 - load certificate and key data
66 SSL_CTX_use_certificate() loads the certificate B<x> into B<ctx>,
68 certificates needed to form the complete certificate chain can be
84 SSL_CTX_use_certificate_chain_file() loads a certificate chain from
89 similar except it loads the certificate chain into B<ssl>.
96 to the certificate an error is returned. To change a [certificate/private-key]
103 certificate B<x>, private key B<key>, and certificate B<chain> onto the
142 key/certificate pairs at a time. The certificate used depends on the
147 one certificate or private key, consequently
155 certificate chain store for all certificate types, OpenSSL 1.0.2 and later
[all …]
|
| H A D | X509_get_extension_flags.pod | 15 X509_get_proxy_pathlen - retrieve certificate extension data
48 The certificate is an obsolete version 1 certificate.
52 The certificate contains a basic constraints extension.
60 The certificate is a valid proxy certificate.
73 The freshest CRL extension is present in the certificate.
77 The certificate contains an unhandled critical extension.
81 Some certificate extension values are invalid or inconsistent.
82 The certificate should be rejected.
95 inconsistent. The certificate should be rejected.
155 given certificate B<x> if it is a proxy certificate.
[all …]
|
| H A D | SSL_CTX_add1_chain_cert.pod | 11 chain certificate processing
42 associated with the current certificate of B<ctx> to B<sk>.
45 certificate B<x509> to the chain associated with the current certificate of
49 certificate of B<ctx>.
52 current certificate of B<ctx>. (This is implemented by calling
55 SSL_CTX_build_cert_chain() builds the certificate chain for B<ctx>.
71 (i.e. server or client) certificate. This is the last certificate loaded or
86 certificate after the current certificate. These two operations can be
91 this option sets that certificate to the current certificate and returns 1.
94 is not a server or a certificate has not been sent 0 is returned and
[all …]
|
| H A D | SSL_get_peer_certificate.pod | 7 SSL_get1_peer_certificate - get the X509 certificate of the peer
24 These functions return a pointer to the X509 certificate the
25 peer presented. If the peer did not present a certificate, NULL is returned.
30 certificate, if present. A client will only send a certificate when
35 That a certificate is returned does not indicate information about the
41 containing the peer certificate is freed. The X509 object must be explicitly
57 No certificate was presented by the peer or no connection was established.
59 =item Pointer to an X509 certificate
61 The return value points to the certificate presented by the peer.
|
| H A D | OSSL_CMP_exec_certreq.pod | 71 OSSL_CMP_exec_CR_ses() requests an additional certificate.
75 OSSL_CMP_exec_KUR_ses() obtains an updated certificate.
77 These four types of certificate enrollment are implemented as macros
82 For IR, CR, and KUR, the certificate template to be used in the request
101 If no error occurred but no certificate is available yet then
110 to see whether meanwhile the requested certificate is available.
115 OSSL_CMP_exec_RR_ses() requests the revocation of the certificate
119 of the certificate set by L<OSSL_CMP_CTX_set1_oldCert(3)>,
162 The I<newWithNew> certificate is meant to be a certificate that will be trusted.
178 the certificate template received. NULL output means that no certificate
[all …]
|
| H A D | SSL_get_peer_cert_chain.pod | 5 SSL_get_peer_cert_chain, SSL_get0_verified_chain - get the X509 certificate
18 forming the certificate chain sent by the peer. If called on the client side,
19 the stack also contains the peer's certificate; if called on the server
20 side, the peer's certificate must be obtained separately using
22 If the peer did not present a certificate, NULL is returned.
28 SSL_get0_verified_chain() returns the B<verified> certificate chain
29 of the peer including the peer's end entity certificate. It must be called
40 The reference count of each certificate in the returned STACK_OF(X509) object
54 No certificate was presented by the peer or no connection was established
55 or the certificate chain is no longer available when a session is reused.
[all …]
|
| H A D | SSL_CTX_set_verify.pod | 12 - set various SSL/TLS parameters for peer certificate verification
57 server certificate verification step.
72 sent. A certificate callback will need to be set via
89 client, so the client will not send a certificate.
125 connection. Do not ask for a client certificate again during
165 The depth count is "level 0:peer certificate", "level 1: CA certificate",
171 a final trust anchor certificate.
178 for the certificate chain verification.
181 (the root CA certificate) and worked upward to the peer's certificate.
208 certificate or certificate callback to its configuration before it can
[all …]
|
| H A D | X509_ACERT_print_ex.pod | 19 certificate I<acert> to BIO I<bp>.
21 The following data contained in the attribute certificate is printed
28 The header text "Attribute certificate:" and "Data:" (X509_FLAG_NO_HEADER)
32 The attribute certificate version number as defined by the standard,
40 The serial number of the attribute certificate (X509_FLAG_NO_SERIAL)
44 The identity of the holder of the attribute certificate. If the
49 holder's certificate are displayed. (X509_FLAG_NO_SUBJECT)
53 The name of the attribute certificate issuer as returned from
65 The list of attributes contained in the attribute certificate.
72 All X.509 extensions contained in the attribute certificate. (X509_FLAG_NO_EXTENSIONS)
[all …]
|
| H A D | SSL_check_chain.pod | 5 SSL_check_chain - check certificate chain suitability
15 SSL_check_chain() checks whether certificate B<x>, private key B<pk> and
16 certificate chain B<chain> is suitable for use with the current session
25 If this flag is B<not> set then the certificate will never be used even
31 B<CERT_PKEY_EE_SIGNATURE>: the signature algorithm of the EE certificate is
37 B<CERT_PKEY_EE_PARAM>: the parameters of the end entity certificate are
42 B<CERT_PKEY_EXPLICIT_SIGN>: the end entity certificate algorithm
49 B<CERT_PKEY_CERT_TYPE>: the certificate type is acceptable. Only meaningful
57 clients after a certificate request message. It will typically be called
58 in the certificate callback.
[all …]
|
| H A D | SSL_set1_server_cert_type.pod | 12 SSL_CTX_get0_server_cert_type - certificate type (RFC7250) support
30 set the values for the client certificate type extension.
32 retrieve the local values to be used in the client certificate type extension.
35 set the values for the server certificate type extension.
41 The certificate type extensions are used to negotiate the certificate type to
46 what certificate types the client is able to present.
48 On the server, this setting determines which certificate types the server is
56 what certificate types the client accepts.
58 On the server, this setting determines which certificate types the server is
75 Which corresponds to an X.509 certificate normally used in TLS.
[all …]
|
| H A D | OSSL_CRMF_MSG_get0_tmpl.pod | 46 OSSL_CRMF_MSG_get0_tmpl() retrieves the certificate template of I<crm>.
49 given certificate template I<tmpl>.
52 given certificate template I<tmpl>.
55 given certificate template I<tmpl>.
58 given certificate template I<tmpl>.
61 of the given certificate template I<tmpl>, or NULL if not present.
69 OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert() decrypts the certificate in the given
73 The function returns the decrypted certificate as a copy, leaving its ownership
80 OSSL_CRMF_MSG_get_certReqId() returns the certificate request ID as a
|
| H A D | SSL_CTX_set_max_cert_list.pod | 5 …set_max_cert_list, SSL_get_max_cert_list - manipulate allowed size for the peer's certificate chain
20 certificate chain for all SSL objects created from B<ctx> to be <size> bytes.
27 certificate chain for B<ssl> to be <size> bytes. This setting stays valid
34 During the handshake process, the peer may send a certificate chain.
35 The TLS/SSL standard does not give any maximum size of the certificate chain.
38 received from a faulty or malicious peer, a maximum size for the certificate
41 The default value for the maximum certificate chain size is 100kB (30kB
42 on the 16-bit DOS platform). This should be sufficient for usual certificate
47 For special applications it can be necessary to extend the maximum certificate
57 If the maximum certificate chain size allowed is exceeded, the handshake will
|
| H A D | SSL_alert_type_string.pod | 40 non-fatal errors are certificate errors ("certificate expired",
99 =item "NC"/"no certificate"
101 A client, that was asked to send a certificate, does not send a certificate
104 =item "BC"/"bad certificate"
109 =item "UC"/"unsupported certificate"
113 =item "CR"/"certificate revoked"
115 A certificate was revoked by its signer.
117 =item "CE"/"certificate expired"
121 =item "CU"/"certificate unknown"
124 certificate, rendering it unacceptable.
[all …]
|
| H A D | X509_sign.pod | 9 sign certificate, certificate request, or CRL signature
31 X509_sign() signs certificate I<x> using private key I<pkey> and message
33 certificate I<x> but uses the parameters contained in digest context I<ctx>.
34 If the certificate information includes X.509 extensions,
35 these two functions make sure that the certificate bears X.509 version 3.
40 sign certificate requests and CRLs, respectively.
49 of the signed portion of a certificate, certificate request and CRL is cached
|
| /openssl/doc/HOWTO/ |
| H A D | certificates.txt | 29 keys, so before you create a certificate or a certificate request, you
42 3. Creating a certificate request
44 To create a certificate, you need to start with a certificate request
45 (or, as some certificate authorities like to put it, "certificate
48 policies). A certificate request is sent to a certificate authority
49 to get it signed into a certificate. You can also sign the certificate
53 The certificate request is created like this:
73 4. Creating a self-signed test certificate
77 certificate for yourself. This is similar to creating a certificate
78 request, but creates a certificate instead of a certificate request.
[all …]
|
| /openssl/doc/man7/ |
| H A D | x509.pod | 5 x509 - X.509 certificate handling
13 An X.509 certificate is a structured grouping of information about
15 (certificate revocation list) is a tool to help determine if a
16 certificate is still valid. The exact definition of those can be
18 In OpenSSL, the type X509 is used to express such a certificate, and
23 X509_REQ is used to express such a certificate request.
25 To handle some complex parts of a certificate, there are the types
27 a certificate attribute), X509_EXTENSION (to express a certificate
31 certificate and a corresponding private key.
40 functions handle PKCS#10 certificate requests.
[all …]
|
| H A D | proxy-certificates.pod | 14 operations on behalf of the owner of the EE (End Entity) certificate.
16 The requirements for a valid proxy certificate are:
23 another proxy certificate.
41 =head2 Enabling proxy certificate verification
61 # A proxy certificate MUST NEVER be a CA certificate.
65 # The extension which marks this certificate as a proxy
119 You can also create a proxy certificate using another proxy
136 user certificate and CA certificates.
139 application and the certificate validation procedure.
151 certificate is checked.
[all …]
|
| /openssl/doc/man1/ |
| H A D | openssl-x509.pod.in | 127 Generate a certificate from scratch, not using an input certificate
137 Output a PKCS#10 certificate request (rather than a certificate).
178 certificate request.
433 in the certificate.
442 a new certificate without providing an input certificate or certificate request.
450 When a new certificate or certificate request is created
464 When transforming a certificate to a new certificate
467 When transforming a certificate or certificate request,
605 Sets the "alias" of the certificate. This will allow the certificate
767 Convert a certificate to a certificate request:
[all …]
|
| H A D | openssl-verification-options.pod | 60 uses of a target certificate the certificate may serve as a trust anchor.
78 A certificate, which may be CA certificate or an end-entity certificate,
103 First, a certificate chain is built up starting from the target certificate
117 A candidate issuer certificate matches a subject certificate
135 The certificate signature algorithm used to sign the subject certificate
367 public key strength when verifying certificate chains. For a certificate
390 the last certificate in a chain if the certificate is supposedly self-signed.
427 construct a certificate chain from the target certificate to a trust anchor.
474 end-entity certificate nor the trust-anchor certificate count against the
513 end-entity certificate.
[all …]
|
| H A D | openssl-nseq.pod.in | 6 openssl-nseq - create or examine a Netscape certificate sequence
19 This command takes a file containing a Netscape certificate
21 file of certificates and converts it into a Netscape certificate
24 A Netscape certificate sequence is an old Netscape-specific format that
27 certificate enrollment. It was also used by Netscape certificate server.
48 Normally a Netscape certificate sequence will be input and the output
50 situation is reversed: a Netscape certificate sequence is created from
59 Output the certificates in a Netscape certificate sequence
63 Create a Netscape certificate sequence
|
| H A D | openssl-verify.pod.in | 6 openssl-verify - certificate verification command
24 [I<certificate> ...]
28 This command verifies certificate chains. If a certificate chain has multiple
51 Display information about the certificate chain that has been built (if
96 certificate files. This is useful if the first certificate filename begins
99 =item I<certificate> ...
102 given, this command will attempt to read a single certificate from standard
113 error 24 at 1 depth lookup:invalid CA certificate
117 and the depth. The depth is number of the certificate being verified when a
119 itself then 1 for the CA that signed the target certificate and so on.
[all …]
|
