diff options
author | Richard Levitte <levitte@openssl.org> | 2019-03-07 15:26:34 +0100 |
---|---|---|
committer | Richard Levitte <levitte@openssl.org> | 2019-11-03 18:38:23 +0100 |
commit | fd3397fc47bfd92e7e33d88aa566cb0c8bd29330 (patch) | |
tree | 463778bc2ded727930631bec442d7ec7b7509488 /doc/man1/openssl-verify.pod.in | |
parent | 6dcb100f89d0ef081771d533fed342412ac7a13f (diff) | |
download | openssl-fd3397fc47bfd92e7e33d88aa566cb0c8bd29330.tar.gz |
Add -CAstore and similar to all openssl commands that have -CApath
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8442)
Diffstat (limited to 'doc/man1/openssl-verify.pod.in')
-rw-r--r-- | doc/man1/openssl-verify.pod.in | 18 |
1 files changed, 10 insertions, 8 deletions
diff --git a/doc/man1/openssl-verify.pod.in b/doc/man1/openssl-verify.pod.in index 72ef98cc85..9a92cb6f32 100644 --- a/doc/man1/openssl-verify.pod.in +++ b/doc/man1/openssl-verify.pod.in @@ -190,8 +190,8 @@ P-256 and P-384. =item B<-trusted_first> When constructing the certificate chain, use the trusted certificates specified -via B<-CAfile>, B<-CApath> or B<-trusted> before any certificates specified via -B<-untrusted>. +via B<-CAfile>, B<-CApath>, B<-CAstore> or B<-trusted> before any certificates +specified via B<-untrusted>. This can be useful in environments with Bridge or Cross-Certified CAs. As of OpenSSL 1.1.0 this option is on by default and cannot be disabled. @@ -222,9 +222,9 @@ consulted. That is, the only trust-anchors are those listed in I<file>. This option can be specified more than once to include trusted certificates from multiple I<file>s. -This option implies the B<-no-CAfile> and B<-no-CApath> options. -This option cannot be used in combination with either of the B<-CAfile> or -B<-CApath> options. +This option implies the B<-no-CAfile>, B<-no-CApath> and B<-no-CAstore> options. +This option cannot be used in combination with any of the B<-CAfile>, +B<-CApath> or B<-CAstore> options. =item B<-use_deltas> @@ -743,8 +743,9 @@ Although the issuer checks are a considerable improvement over the old technique they still suffer from limitations in the underlying X509_LOOKUP API. One consequence of this is that trusted certificates with matching subject name must either appear in a file (as specified by the B<-CAfile> -option) or a directory (as specified by B<-CApath>). If they occur in -both then only the certificates in the file will be recognised. +option), a directory (as specified by B<-CApath>), or a store (as specified +by B<-CAstore>). If they occur in more than one location then only the +certificates in the file will be recognised. Previous versions of OpenSSL assume certificates with matching subject name are identical and mishandled them. @@ -756,7 +757,8 @@ B<X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY> error codes. =head1 SEE ALSO L<openssl(1)>, -L<openssl-x509(1)> +L<openssl-x509(1)>, +L<ossl_store-file(7)> =head1 HISTORY |