Lines Matching +full:no +full:- +full:invalid +full:- +full:this

5 openssl-verify,
6 verify - Utility to verify certificates
11 [B<-help>]
12 [B<-CAfile file>]
13 [B<-CApath directory>]
14 [B<-no-CAfile>]
15 [B<-no-CApath>]
16 [B<-allow_proxy_certs>]
17 [B<-attime timestamp>]
18 [B<-check_ss_sig>]
19 [B<-CRLfile file>]
20 [B<-crl_download>]
21 [B<-crl_check>]
22 [B<-crl_check_all>]
23 [B<-engine id>]
24 [B<-explicit_policy>]
25 [B<-extended_crl>]
26 [B<-ignore_critical>]
27 [B<-inhibit_any>]
28 [B<-inhibit_map>]
29 [B<-nameopt option>]
30 [B<-no_check_time>]
31 [B<-partial_chain>]
32 [B<-policy arg>]
33 [B<-policy_check>]
34 [B<-policy_print>]
35 [B<-purpose purpose>]
36 [B<-suiteB_128>]
37 [B<-suiteB_128_only>]
38 [B<-suiteB_192>]
39 [B<-trusted_first>]
40 [B<-no_alt_chains>]
41 [B<-untrusted file>]
42 [B<-trusted file>]
43 [B<-use_deltas>]
44 [B<-verbose>]
45 [B<-auth_level level>]
46 [B<-verify_depth num>]
47 [B<-verify_email email>]
48 [B<-verify_hostname hostname>]
49 [B<-verify_ip ip>]
50 [B<-verify_name name>]
51 [B<-x509_strict>]
52 [B<-show_chain>]
53 [B<->]
64 =item B<-help>
68 =item B<-CAfile file>
73 =item B<-CApath directory>
76 of the form: hash.0 or have symbolic links to them of this
77 form ("hash" is the hashed certificate subject name: see the B<-hash> option
81 =item B<-no-CAfile>
85 =item B<-no-CApath>
89 =item B<-allow_proxy_certs>
93 =item B<-attime timestamp>
99 =item B<-check_ss_sig>
102 the last certificate in a chain if the certificate is supposedly self-signed.
103 This is prohibited and will result in an error if it is a non-conforming CA
105 This verification is disabled by default because it doesn't add any security.
107 =item B<-CRLfile file>
110 This option can be specified more than once to include CRLs from multiple
113 =item B<-crl_download>
115 Attempt to download CRL information for this certificate.
117 =item B<-crl_check>
122 =item B<-crl_check_all>
127 =item B<-engine id>
133 the B<-trusted>, B<-untrusted> or B<-CRLfile> options, the B<-engine> option
136 =item B<-explicit_policy>
138 Set policy variable require-explicit-policy (see RFC5280).
140 =item B<-extended_crl>
145 =item B<-ignore_critical>
149 If this option is set critical extensions are ignored.
151 =item B<-inhibit_any>
153 Set policy variable inhibit-any-policy (see RFC5280).
155 =item B<-inhibit_map>
157 Set policy variable inhibit-policy-mapping (see RFC5280).
159 =item B<-nameopt option>
163 commas.  Alternatively the B<-nameopt> switch may be used more than once to
166 =item B<-no_check_time>
168 This option suppresses checking the validity period of certificates and CRLs
169 against the current time. If option B<-attime timestamp> is used to specify
172 =item B<-partial_chain>
175 self-signed trust-anchor, provided it is possible to construct a chain to a
176 trusted certificate that might not be self-signed.
178 =item B<-policy arg>
180 Enable policy processing and add B<arg> to the user-initial-policy-set (see
182 This argument can appear more than once.
184 =item B<-policy_check>
188 =item B<-policy_print>
192 =item B<-purpose purpose>
194 The intended use for the certificate. If this option is not specified,
200 =item B<-suiteB_128_only>, B<-suiteB_128>, B<-suiteB_192>
206 P-256 and P-384.
208 =item B<-trusted_first>
211 via B<-CAfile>, B<-CApath> or B<-trusted> before any certificates specified via
212 B<-untrusted>.
213 This can be useful in environments with Bridge or Cross-Certified CAs.
214 As of OpenSSL 1.1.0 this option is on by default and cannot be disabled.
216 =item B<-no_alt_chains>
218 By default, unless B<-trusted_first> is specified, when building a certificate
222 As of OpenSSL 1.1.0, with B<-trusted_first> always on, this option has no
225 =item B<-untrusted file>
228 to construct a certificate chain from the subject certificate to a trust-anchor.
230 This option can be specified more than once to include untrusted certificates
233 =item B<-trusted file>
235 A B<file> of trusted certificates, which must be self-signed, unless the
236 B<-partial_chain> option is specified.
238 With this option, no additional (e.g., default) certificate lists are
240 That is, the only trust-anchors are those listed in B<file>.
241 This option can be specified more than once to include trusted certificates
243 This option implies the B<-no-CAfile> and B<-no-CApath> options.
244 This option cannot be used in combination with either of the B<-CAfile> or
245 B<-CApath> options.
247 =item B<-use_deltas>
251 =item B<-verbose>
255 =item B<-auth_level level>
267 The default security level is -1, or "not set".
269 Security level 1 requires at least 80-bit-equivalent security and is broadly
273 =item B<-verify_depth num>
277 end-entity certificate nor the trust-anchor certificate count against the
278 B<-verify_depth> limit.
280 =item B<-verify_email email>
285 =item B<-verify_hostname hostname>
290 =item B<-verify_ip ip>
295 =item B<-verify_name name>
301 See the B<-addtrust> and B<-addreject> options of the L<x509(1)> command-line
308 specified, so the B<-verify_name> options are functionally equivalent to the
309 corresponding B<-purpose> settings.
311 =item B<-x509_strict>
313 For strict X.509 compliance, disable non-compliant workarounds for broken
316 =item B<-show_chain>
322 =item B<->
324 Indicates the last option. All arguments following this are assumed to be
325 certificate files. This is useful if the first certificate filename begins
326 with a B<->.
330 One or more certificates to verify. If no certificates are given, B<verify>
339 verification, therefore, this description applies to these verify operations
345 first error. This allows all the problems with a certificate chain to be
367 The lookup first looks in the list of untrusted certificates and if no match
374 consistency with the supplied purpose. If the B<-purpose> option is not included
375 then no checks are done. The supplied or "leaf" certificate must have extensions
382 For compatibility with previous versions of OpenSSL, a certificate with no
389 The B<-attime> flag may be used to use a reference time other than "now."
391 (except for the signature of the typically self-signed root CA certificate,
392 which is verified only if the B<-check_ss_sig> option is given).
403  error 24 at 1 depth lookup:invalid CA certificate
412 A partial list of the error codes and messages is shown below, this also
429 The issuer certificate of a looked up certificate could not be found. This
438 The certificate signature could not be decrypted. This means that the
440 the expected value, this is only meaningful for RSA keys.
444 The CRL signature could not be decrypted: this means that the actual
454 The signature of the certificate is invalid.
458 The signature of the certificate is invalid.
480 The certificate notBefore field contains an invalid time.
484 The certificate notAfter field contains an invalid time.
488 The CRL lastUpdate field contains an invalid time.
492 The CRL nextUpdate field contains an invalid time.
496 An error occurred trying to allocate memory. This should never happen.
500 The passed certificate is self-signed and the same certificate cannot
510 The issuer certificate could not be found: this occurs if the issuer
515 No signatures could be verified because the chain contains only one
529 A CA certificate is invalid. Either it is not a CA or its extensions
551 B<-issuer_checks> option.
556 B<-issuer_checks> option.
561 B<-issuer_checks> option.
566 B<-issuer_checks> option.
586 Invalid non-CA certificate has CA markings.
594 Proxy certificate subject is invalid.  It MUST be the same as the issuer
603 Proxy certificates not allowed, please use B<-allow_proxy_certs>.
607 Invalid or inconsistent certificate extension.
611 Invalid or inconsistent certificate policy extension.
615 No explicit policy.
651 Unsupported or invalid name constraint syntax.
655 Unsupported or invalid name syntax.
667 Suite B: certificate version invalid.
671 Suite B: invalid public key algorithm.
675 Suite B: invalid ECC curve.
679 Suite B: invalid signature algorithm.
683 Suite B: curve not allowed for this LOS.
687 Suite B: cannot sign P-384 with P-256.
703 DANE TLSA authentication is enabled, but no TLSA records matched the
705 This error is only possible in L<s_client(1)>.
729 Certificate Transparency required, but no valid SCTs found.
754 API. One consequence of this is that trusted certificates with matching
755 subject name must either appear in a file (as specified by the B<-CAfile>
756 option) or a directory (as specified by B<-CApath>). If they occur in
762 Previous versions of this documentation swapped the meaning of the
772 The B<-show_chain> option was added in OpenSSL 1.1.0.
774 The B<-issuer_checks> option is deprecated as of OpenSSL 1.1.0 and
779 Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
782 this file except in compliance with the License.  You can obtain a copy