Document -trusted_first option in man pages and help.

Add -trusted_first description to help messages and man pages
of tools that deal with certificate verification.

6 files changed, 27 insertions, 5 deletions

diff --git a/doc/apps/cms.pod b/doc/apps/cms.pod
index a1c896c1e3..66be0bf2a5 100644
--- a/doc/apps/cms.pod
+++ b/doc/apps/cms.pod
@@ -35,6 +35,7 @@ B<openssl> B<cms>
 [B<-print>]
 [B<-CAfile file>]
 [B<-CApath dir>]
+[B<-trusted_first>]
 [B<-md digest>]
 [B<-[cipher]>]
 [B<-nointern>]
@@ -429,9 +430,9 @@ portion of a message so they may be included manually. If signing
 then many S/MIME mail clients check the signers certificate's email
 address matches that specified in the From: address.
 
-=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig>
+=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig, -trusted_first>
 
-Set various certificate chain valiadition option. See the
+Set various certificate chain valiadition options. See the
 L<B<verify>|verify(1)> manual page for details.
 
 =back
diff --git a/doc/apps/ocsp.pod b/doc/apps/ocsp.pod
index af2e12e418..6939e55a2a 100644
--- a/doc/apps/ocsp.pod
+++ b/doc/apps/ocsp.pod
@@ -29,6 +29,7 @@ B<openssl> B<ocsp>
 [B<-path>]
 [B<-CApath dir>]
 [B<-CAfile file>]
+[B<-trusted_first>]
 [B<-VAfile file>]
 [B<-validity_period n>]
 [B<-status_age n>]
@@ -138,6 +139,11 @@ or "/" by default.
 file or pathname containing trusted CA certificates. These are used to verify
 the signature on the OCSP response.
 
+=item B<-trusted_first>
+
+Set certificate verification option.
+See L<B<verify>|verify(1)> manual page for details.
+
 =item B<-verify_other file>
 
 file containing additional certificates to search when attempting to locate
diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod
index 8964032cde..55c501e29d 100644
--- a/doc/apps/s_client.pod
+++ b/doc/apps/s_client.pod
@@ -18,6 +18,7 @@ B<openssl> B<s_client>
 [B<-pass arg>]
 [B<-CApath directory>]
 [B<-CAfile filename>]
+[B<-trusted_first>]
 [B<-reconnect>]
 [B<-pause>]
 [B<-showcerts>]
@@ -116,9 +117,9 @@ also used when building the client certificate chain.
 A file containing trusted certificates to use during server authentication
 and to use when attempting to build the client certificate chain.
 
-=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig>
+=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig, -trusted_first>
 
-Set various certificate chain valiadition option. See the
+Set various certificate chain valiadition options. See the
 L<B<verify>|verify(1)> manual page for details.
 
 =item B<-reconnect>
diff --git a/doc/apps/s_server.pod b/doc/apps/s_server.pod
index ad8dcdacef..1de307a0ff 100644
--- a/doc/apps/s_server.pod
+++ b/doc/apps/s_server.pod
@@ -34,6 +34,7 @@ B<openssl> B<s_server>
 [B<-state>]
 [B<-CApath directory>]
 [B<-CAfile filename>]
+[B<-trusted_first>]
 [B<-nocert>]
 [B<-cipher cipherlist>]
 [B<-quiet>]
@@ -183,6 +184,11 @@ and to use when attempting to build the server certificate chain. The list
 is also used in the list of acceptable client CAs passed to the client when
 a certificate is requested.
 
+=item B<-trusted_first>
+
+Set certificate verification option.
+See the L<B<verify>|verify(1)> manual page for details.
+
 =item B<-state>
 
 prints out the SSL session states.
diff --git a/doc/apps/smime.pod b/doc/apps/smime.pod
index d39a59a90d..cc6f3aeaa4 100644
--- a/doc/apps/smime.pod
+++ b/doc/apps/smime.pod
@@ -15,6 +15,7 @@ B<openssl> B<smime>
 [B<-pk7out>]
 [B<-[cipher]>]
 [B<-in file>]
+[B<-trusted_first>]
 [B<-certfile file>]
 [B<-signer file>]
 [B<-recip  file>]
@@ -259,7 +260,7 @@ portion of a message so they may be included manually. If signing
 then many S/MIME mail clients check the signers certificate's email
 address matches that specified in the From: address.
 
-=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig>
+=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig, -trusted_first>
 
 Set various options of certificate chain verification. See
 L<B<verify>|verify(1)> manual page for details.
diff --git a/doc/apps/verify.pod b/doc/apps/verify.pod
index f35d402950..764e617c34 100644
--- a/doc/apps/verify.pod
+++ b/doc/apps/verify.pod
@@ -9,6 +9,7 @@ verify - Utility to verify certificates.
 B<openssl> B<verify>
 [B<-CApath directory>]
 [B<-CAfile file>]
+[B<-trusted_first>]
 [B<-purpose purpose>]
 [B<-policy arg>]
 [B<-ignore_critical>]
@@ -57,6 +58,12 @@ in PEM format concatenated together.
 A file of untrusted certificates. The file should contain multiple certificates
 in PEM format concatenated together.
 
+=item B<-trusted_first>
+
+Use certificates in CA file or CA directory before certificates in untrusted
+file when building the trust chain to verify certificates.
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
+
 =item B<-purpose purpose>
 
 The intended use for the certificate. If this option is not specified,