Switch from OpenSSL 0.9.7d to 0.9.7e.
[dragonfly.git] / secure / usr.bin / openssl / man / verify.1
CommitLineData
e3cdf75b
JR
1.rn '' }`
2''' $RCSfile$$Revision$$Date$
3'''
4''' $Log$
5'''
6.de Sh
984263bc
MD
7.br
8.if t .Sp
9.ne 5
10.PP
11\fB\\$1\fR
12.PP
13..
e3cdf75b 14.de Sp
984263bc
MD
15.if t .sp .5v
16.if n .sp
17..
e3cdf75b 18.de Ip
984263bc
MD
19.br
20.ie \\n(.$>=3 .ne \\$3
21.el .ne 3
22.IP "\\$1" \\$2
23..
e3cdf75b 24.de Vb
984263bc
MD
25.ft CW
26.nf
27.ne \\$1
28..
e3cdf75b 29.de Ve
984263bc
MD
30.ft R
31
32.fi
33..
e3cdf75b
JR
34'''
35'''
36''' Set up \*(-- to give an unbreakable dash;
37''' string Tr holds user defined translation string.
38''' Bell System Logo is used as a dummy character.
39'''
984263bc 40.tr \(*W-|\(bv\*(Tr
984263bc 41.ie n \{\
e3cdf75b
JR
42.ds -- \(*W-
43.ds PI pi
44.if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
45.if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
46.ds L" ""
47.ds R" ""
48''' \*(M", \*(S", \*(N" and \*(T" are the equivalent of
49''' \*(L" and \*(R", except that they are used on ".xx" lines,
50''' such as .IP and .SH, which do another additional levels of
51''' double-quote interpretation
52.ds M" """
53.ds S" """
54.ds N" """""
55.ds T" """""
56.ds L' '
57.ds R' '
58.ds M' '
59.ds S' '
60.ds N' '
61.ds T' '
984263bc
MD
62'br\}
63.el\{\
e3cdf75b
JR
64.ds -- \(em\|
65.tr \*(Tr
66.ds L" ``
67.ds R" ''
68.ds M" ``
69.ds S" ''
70.ds N" ``
71.ds T" ''
72.ds L' `
73.ds R' '
74.ds M' `
75.ds S' '
76.ds N' `
77.ds T' '
78.ds PI \(*p
984263bc 79'br\}
e3cdf75b
JR
80.\" If the F register is turned on, we'll generate
81.\" index entries out stderr for the following things:
82.\" TH Title
83.\" SH Header
84.\" Sh Subsection
85.\" Ip Item
86.\" X<> Xref (embedded
87.\" Of course, you have to process the output yourself
88.\" in some meaninful fashion.
89.if \nF \{
90.de IX
91.tm Index:\\$1\t\\n%\t"\\$2"
984263bc 92..
e3cdf75b
JR
93.nr % 0
94.rr F
984263bc 95.\}
e3cdf75b
JR
96.TH VERIFY 1 "0.9.7d" "2/Sep/2004" "OpenSSL"
97.UC
98.if n .hy 0
984263bc 99.if n .na
e3cdf75b
JR
100.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
101.de CQ \" put $1 in typewriter font
102.ft CW
103'if n "\c
104'if t \\&\\$1\c
105'if n \\&\\$1\c
106'if n \&"
107\\&\\$2 \\$3 \\$4 \\$5 \\$6 \\$7
108'.ft R
109..
110.\" @(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2
111. \" AM - accent mark definitions
984263bc 112.bd B 3
e3cdf75b 113. \" fudge factors for nroff and troff
984263bc 114.if n \{\
e3cdf75b
JR
115. ds #H 0
116. ds #V .8m
117. ds #F .3m
118. ds #[ \f1
119. ds #] \fP
984263bc
MD
120.\}
121.if t \{\
e3cdf75b
JR
122. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
123. ds #V .6m
124. ds #F 0
125. ds #[ \&
126. ds #] \&
984263bc 127.\}
e3cdf75b 128. \" simple accents for nroff and troff
984263bc 129.if n \{\
e3cdf75b
JR
130. ds ' \&
131. ds ` \&
132. ds ^ \&
133. ds , \&
134. ds ~ ~
135. ds ? ?
136. ds ! !
137. ds /
138. ds q
984263bc
MD
139.\}
140.if t \{\
e3cdf75b
JR
141. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
142. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
143. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
144. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
145. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
146. ds ? \s-2c\h'-\w'c'u*7/10'\u\h'\*(#H'\zi\d\s+2\h'\w'c'u*8/10'
147. ds ! \s-2\(or\s+2\h'-\w'\(or'u'\v'-.8m'.\v'.8m'
148. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
149. ds q o\h'-\w'o'u*8/10'\s-4\v'.4m'\z\(*i\v'-.4m'\s+4\h'\w'o'u*8/10'
984263bc 150.\}
e3cdf75b 151. \" troff and (daisy-wheel) nroff accents
984263bc
MD
152.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
153.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
e3cdf75b
JR
154.ds v \\k:\h'-(\\n(.wu*9/10-\*(#H)'\v'-\*(#V'\*(#[\s-4v\s0\v'\*(#V'\h'|\\n:u'\*(#]
155.ds _ \\k:\h'-(\\n(.wu*9/10-\*(#H+(\*(#F*2/3))'\v'-.4m'\z\(hy\v'.4m'\h'|\\n:u'
156.ds . \\k:\h'-(\\n(.wu*8/10)'\v'\*(#V*4/10'\z.\v'-\*(#V*4/10'\h'|\\n:u'
157.ds 3 \*(#[\v'.2m'\s-2\&3\s0\v'-.2m'\*(#]
984263bc
MD
158.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
159.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
160.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
161.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
162.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
163.ds ae a\h'-(\w'a'u*4/10)'e
164.ds Ae A\h'-(\w'A'u*4/10)'E
e3cdf75b
JR
165.ds oe o\h'-(\w'o'u*4/10)'e
166.ds Oe O\h'-(\w'O'u*4/10)'E
167. \" corrections for vroff
984263bc
MD
168.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
169.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
e3cdf75b 170. \" for low resolution devices (crt and lpr)
984263bc
MD
171.if \n(.H>23 .if \n(.V>19 \
172\{\
e3cdf75b
JR
173. ds : e
174. ds 8 ss
175. ds v \h'-1'\o'\(aa\(ga'
176. ds _ \h'-1'^
177. ds . \h'-1'.
178. ds 3 3
179. ds o a
180. ds d- d\h'-1'\(ga
181. ds D- D\h'-1'\(hy
182. ds th \o'bp'
183. ds Th \o'LP'
184. ds ae ae
185. ds Ae AE
186. ds oe oe
187. ds Oe OE
984263bc
MD
188.\}
189.rm #[ #] #H #V #F C
984263bc
MD
190.SH "NAME"
191verify \- Utility to verify certificates.
192.SH "SYNOPSIS"
e3cdf75b 193\fBopenssl\fR \fBverify\fR
984263bc
MD
194[\fB\-CApath directory\fR]
195[\fB\-CAfile file\fR]
196[\fB\-purpose purpose\fR]
197[\fB\-untrusted file\fR]
198[\fB\-help\fR]
199[\fB\-issuer_checks\fR]
200[\fB\-verbose\fR]
e3cdf75b 201[\fB\-\fR]
984263bc
MD
202[certificates]
203.SH "DESCRIPTION"
984263bc
MD
204The \fBverify\fR command verifies certificate chains.
205.SH "COMMAND OPTIONS"
984263bc 206.Ip "\fB\-CApath directory\fR" 4
984263bc
MD
207A directory of trusted certificates. The certificates should have names
208of the form: hash.0 or have symbolic links to them of this
e3cdf75b 209form ("hash\*(R" is the hashed certificate subject name: see the \fB\-hash\fR option
984263bc
MD
210of the \fBx509\fR utility). Under Unix the \fBc_rehash\fR script will automatically
211create symbolic links to a directory of certificates.
212.Ip "\fB\-CAfile file\fR" 4
984263bc
MD
213A file of trusted certificates. The file should contain multiple certificates
214in \s-1PEM\s0 format concatenated together.
215.Ip "\fB\-untrusted file\fR" 4
984263bc
MD
216A file of untrusted certificates. The file should contain multiple certificates
217.Ip "\fB\-purpose purpose\fR" 4
984263bc
MD
218the intended use for the certificate. Without this option no chain verification
219will be done. Currently accepted uses are \fBsslclient\fR, \fBsslserver\fR,
e3cdf75b 220\fBnssslserver\fR, \fBsmimesign\fR, \fBsmimeencrypt\fR. See the \fB\s-1VERIFY\s0 \s-1OPERATION\s0\fR
984263bc
MD
221section for more information.
222.Ip "\fB\-help\fR" 4
984263bc
MD
223prints out a usage message.
224.Ip "\fB\-verbose\fR" 4
984263bc
MD
225print extra information about the operations being performed.
226.Ip "\fB\-issuer_checks\fR" 4
984263bc
MD
227print out diagnostics relating to searches for the issuer certificate
228of the current certificate. This shows why each candidate issuer
229certificate was rejected. However the presence of rejection messages
230does not itself imply that anything is wrong: during the normal
231verify process several rejections may take place.
e3cdf75b 232.Ip "\fB\-\fR" 4
984263bc
MD
233marks the last option. All arguments following this are assumed to be
234certificate files. This is useful if the first certificate filename begins
e3cdf75b 235with a \fB\-\fR.
984263bc 236.Ip "\fBcertificates\fR" 4
984263bc
MD
237one or more certificates to verify. If no certificate filenames are included
238then an attempt is made to read a certificate from standard input. They should
239all be in \s-1PEM\s0 format.
240.SH "VERIFY OPERATION"
e3cdf75b 241The \fBverify\fR program uses the same functions as the internal SSL and S/MIME
984263bc
MD
242verification, therefore this description applies to these verify operations
243too.
244.PP
245There is one crucial difference between the verify operations performed
246by the \fBverify\fR program: wherever possible an attempt is made to continue
247after an error whereas normally the verify operation would halt on the
248first error. This allows all the problems with a certificate chain to be
249determined.
250.PP
251The verify operation consists of a number of separate steps.
252.PP
253Firstly a certificate chain is built up starting from the supplied certificate
e3cdf75b 254and ending in the root CA. It is an error if the whole chain cannot be built
984263bc
MD
255up. The chain is built up by looking up the issuers certificate of the current
256certificate. If a certificate is found which is its own issuer it is assumed
e3cdf75b 257to be the root CA.
984263bc 258.PP
e3cdf75b 259The process of \*(L'looking up the issuers certificate\*(R' itself involves a number
984263bc
MD
260of steps. In versions of OpenSSL before 0.9.5a the first certificate whose
261subject name matched the issuer of the current certificate was assumed to be
262the issuers certificate. In OpenSSL 0.9.6 and later all certificates
263whose subject name matches the issuer name of the current certificate are
264subject to further tests. The relevant authority key identifier components
265of the current certificate (if present) must match the subject key identifier
266(if present) and issuer and serial number of the candidate issuer, in addition
267the keyUsage extension of the candidate issuer (if present) must permit
268certificate signing.
269.PP
270The lookup first looks in the list of untrusted certificates and if no match
e3cdf75b 271is found the remaining lookups are from the trusted certificates. The root CA
984263bc
MD
272is always looked up in the trusted certificate list: if the certificate to
273verify is a root certificate then an exact match must be found in the trusted
274list.
275.PP
276The second operation is to check every untrusted certificate's extensions for
277consistency with the supplied purpose. If the \fB\-purpose\fR option is not included
278then no checks are done. The supplied or \*(L"leaf\*(R" certificate must have extensions
279compatible with the supplied purpose and all other certificates must also be valid
e3cdf75b
JR
280CA certificates. The precise extensions required are described in more detail in
281the \fBCERTIFICATE EXTENSIONS\fR section of the \fBx509\fR utility.
984263bc 282.PP
e3cdf75b
JR
283The third operation is to check the trust settings on the root CA. The root
284CA should be trusted for the supplied purpose. For compatibility with previous
984263bc
MD
285versions of SSLeay and OpenSSL a certificate with no trust settings is considered
286to be valid for all purposes.
287.PP
288The final operation is to check the validity of the certificate chain. The validity
289period is checked against the current system time and the notBefore and notAfter
290dates in the certificate. The certificate signatures are also checked at this
291point.
292.PP
293If all operations complete successfully then certificate is considered valid. If
294any operation fails then the certificate is not valid.
295.SH "DIAGNOSTICS"
984263bc
MD
296When a verify operation fails the output messages can be somewhat cryptic. The
297general form of the error message is:
298.PP
299.Vb 2
300\& server.pem: /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit)
301\& error 24 at 1 depth lookup:invalid CA certificate
302.Ve
303The first line contains the name of the certificate being verified followed by
304the subject name of the certificate. The second line contains the error number
305and the depth. The depth is number of the certificate being verified when a
306problem was detected starting with zero for the certificate being verified itself
e3cdf75b 307then 1 for the CA that signed the certificate and so on. Finally a text version
984263bc
MD
308of the error number is presented.
309.PP
310An exhaustive list of the error codes and messages is shown below, this also
311includes the name of the error code as defined in the header file x509_vfy.h
312Some of the error codes are defined but never returned: these are described
313as \*(L"unused\*(R".
314.Ip "\fB0 X509_V_OK: ok\fR" 4
984263bc
MD
315the operation was successful.
316.Ip "\fB2 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate\fR" 4
984263bc
MD
317the issuer certificate could not be found: this occurs if the issuer certificate
318of an untrusted certificate cannot be found.
319.Ip "\fB3 X509_V_ERR_UNABLE_TO_GET_CRL unable to get certificate \s-1CRL\s0\fR" 4
984263bc
MD
320the \s-1CRL\s0 of a certificate could not be found. Unused.
321.Ip "\fB4 X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: unable to decrypt certificate's signature\fR" 4
984263bc
MD
322the certificate signature could not be decrypted. This means that the actual signature value
323could not be determined rather than it not matching the expected value, this is only
324meaningful for \s-1RSA\s0 keys.
325.Ip "\fB5 X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt \s-1CRL\s0's signature\fR" 4
984263bc
MD
326the \s-1CRL\s0 signature could not be decrypted: this means that the actual signature value
327could not be determined rather than it not matching the expected value. Unused.
328.Ip "\fB6 X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: unable to decode issuer public key\fR" 4
984263bc
MD
329the public key in the certificate SubjectPublicKeyInfo could not be read.
330.Ip "\fB7 X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure\fR" 4
984263bc
MD
331the signature of the certificate is invalid.
332.Ip "\fB8 X509_V_ERR_CRL_SIGNATURE_FAILURE: \s-1CRL\s0 signature failure\fR" 4
984263bc
MD
333the signature of the certificate is invalid. Unused.
334.Ip "\fB9 X509_V_ERR_CERT_NOT_YET_VALID: certificate is not yet valid\fR" 4
984263bc
MD
335the certificate is not yet valid: the notBefore date is after the current time.
336.Ip "\fB10 X509_V_ERR_CERT_HAS_EXPIRED: certificate has expired\fR" 4
984263bc
MD
337the certificate has expired: that is the notAfter date is before the current time.
338.Ip "\fB11 X509_V_ERR_CRL_NOT_YET_VALID: \s-1CRL\s0 is not yet valid\fR" 4
984263bc
MD
339the \s-1CRL\s0 is not yet valid. Unused.
340.Ip "\fB12 X509_V_ERR_CRL_HAS_EXPIRED: \s-1CRL\s0 has expired\fR" 4
984263bc
MD
341the \s-1CRL\s0 has expired. Unused.
342.Ip "\fB13 X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: format error in certificate's notBefore field\fR" 4
984263bc
MD
343the certificate notBefore field contains an invalid time.
344.Ip "\fB14 X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: format error in certificate's notAfter field\fR" 4
984263bc
MD
345the certificate notAfter field contains an invalid time.
346.Ip "\fB15 X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error in \s-1CRL\s0's lastUpdate field\fR" 4
984263bc
MD
347the \s-1CRL\s0 lastUpdate field contains an invalid time. Unused.
348.Ip "\fB16 X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: format error in \s-1CRL\s0's nextUpdate field\fR" 4
984263bc
MD
349the \s-1CRL\s0 nextUpdate field contains an invalid time. Unused.
350.Ip "\fB17 X509_V_ERR_OUT_OF_MEM: out of memory\fR" 4
984263bc
MD
351an error occurred trying to allocate memory. This should never happen.
352.Ip "\fB18 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate\fR" 4
984263bc
MD
353the passed certificate is self signed and the same certificate cannot be found in the list of
354trusted certificates.
355.Ip "\fB19 X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in certificate chain\fR" 4
984263bc
MD
356the certificate chain could be built up using the untrusted certificates but the root could not
357be found locally.
358.Ip "\fB20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate\fR" 4
984263bc
MD
359the issuer certificate of a locally looked up certificate could not be found. This normally means
360the list of trusted certificates is not complete.
361.Ip "\fB21 X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first certificate\fR" 4
984263bc
MD
362no signatures could be verified because the chain contains only one certificate and it is not
363self signed.
364.Ip "\fB22 X509_V_ERR_CERT_CHAIN_TOO_LONG: certificate chain too long\fR" 4
984263bc
MD
365the certificate chain length is greater than the supplied maximum depth. Unused.
366.Ip "\fB23 X509_V_ERR_CERT_REVOKED: certificate revoked\fR" 4
984263bc
MD
367the certificate has been revoked. Unused.
368.Ip "\fB24 X509_V_ERR_INVALID_CA: invalid \s-1CA\s0 certificate\fR" 4
984263bc
MD
369a \s-1CA\s0 certificate is invalid. Either it is not a \s-1CA\s0 or its extensions are not consistent
370with the supplied purpose.
371.Ip "\fB25 X509_V_ERR_PATH_LENGTH_EXCEEDED: path length constraint exceeded\fR" 4
984263bc
MD
372the basicConstraints pathlength parameter has been exceeded.
373.Ip "\fB26 X509_V_ERR_INVALID_PURPOSE: unsupported certificate purpose\fR" 4
984263bc
MD
374the supplied certificate cannot be used for the specified purpose.
375.Ip "\fB27 X509_V_ERR_CERT_UNTRUSTED: certificate not trusted\fR" 4
984263bc
MD
376the root \s-1CA\s0 is not marked as trusted for the specified purpose.
377.Ip "\fB28 X509_V_ERR_CERT_REJECTED: certificate rejected\fR" 4
984263bc
MD
378the root \s-1CA\s0 is marked to reject the specified purpose.
379.Ip "\fB29 X509_V_ERR_SUBJECT_ISSUER_MISMATCH: subject issuer mismatch\fR" 4
984263bc
MD
380the current candidate issuer certificate was rejected because its subject name
381did not match the issuer name of the current certificate. Only displayed when
382the \fB\-issuer_checks\fR option is set.
383.Ip "\fB30 X509_V_ERR_AKID_SKID_MISMATCH: authority and subject key identifier mismatch\fR" 4
984263bc
MD
384the current candidate issuer certificate was rejected because its subject key
385identifier was present and did not match the authority key identifier current
386certificate. Only displayed when the \fB\-issuer_checks\fR option is set.
387.Ip "\fB31 X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: authority and issuer serial number mismatch\fR" 4
984263bc
MD
388the current candidate issuer certificate was rejected because its issuer name
389and serial number was present and did not match the authority key identifier
390of the current certificate. Only displayed when the \fB\-issuer_checks\fR option is set.
391.Ip "\fB32 X509_V_ERR_KEYUSAGE_NO_CERTSIGN:key usage does not include certificate signing\fR" 4
984263bc
MD
392the current candidate issuer certificate was rejected because its keyUsage extension
393does not permit certificate signing.
394.Ip "\fB50 X509_V_ERR_APPLICATION_VERIFICATION: application verification failure\fR" 4
984263bc
MD
395an application specific error. Unused.
396.SH "BUGS"
984263bc 397Although the issuer checks are a considerably improvement over the old technique they still
e3cdf75b 398suffer from limitations in the underlying X509_LOOKUP API. One consequence of this is that
984263bc 399trusted certificates with matching subject name must either appear in a file (as specified by the
e3cdf75b 400\fB\-CAfile\fR option) or a directory (as specified by \fB\-CApath\fR. If they occur in both then only
984263bc
MD
401the certificates in the file will be recognised.
402.PP
403Previous versions of OpenSSL assume certificates with matching subject name are identical and
404mishandled them.
405.SH "SEE ALSO"
984263bc 406x509(1)
e3cdf75b
JR
407
408.rn }` ''
409.IX Title "VERIFY 1"
410.IX Name "verify - Utility to verify certificates."
411
412.IX Header "NAME"
413
414.IX Header "SYNOPSIS"
415
416.IX Header "DESCRIPTION"
417
418.IX Header "COMMAND OPTIONS"
419
420.IX Item "\fB\-CApath directory\fR"
421
422.IX Item "\fB\-CAfile file\fR"
423
424.IX Item "\fB\-untrusted file\fR"
425
426.IX Item "\fB\-purpose purpose\fR"
427
428.IX Item "\fB\-help\fR"
429
430.IX Item "\fB\-verbose\fR"
431
432.IX Item "\fB\-issuer_checks\fR"
433
434.IX Item "\fB\-\fR"
435
436.IX Item "\fBcertificates\fR"
437
438.IX Header "VERIFY OPERATION"
439
440.IX Header "DIAGNOSTICS"
441
442.IX Item "\fB0 X509_V_OK: ok\fR"
443
444.IX Item "\fB2 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate\fR"
445
446.IX Item "\fB3 X509_V_ERR_UNABLE_TO_GET_CRL unable to get certificate \s-1CRL\s0\fR"
447
448.IX Item "\fB4 X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: unable to decrypt certificate's signature\fR"
449
450.IX Item "\fB5 X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt \s-1CRL\s0's signature\fR"
451
452.IX Item "\fB6 X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: unable to decode issuer public key\fR"
453
454.IX Item "\fB7 X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure\fR"
455
456.IX Item "\fB8 X509_V_ERR_CRL_SIGNATURE_FAILURE: \s-1CRL\s0 signature failure\fR"
457
458.IX Item "\fB9 X509_V_ERR_CERT_NOT_YET_VALID: certificate is not yet valid\fR"
459
460.IX Item "\fB10 X509_V_ERR_CERT_HAS_EXPIRED: certificate has expired\fR"
461
462.IX Item "\fB11 X509_V_ERR_CRL_NOT_YET_VALID: \s-1CRL\s0 is not yet valid\fR"
463
464.IX Item "\fB12 X509_V_ERR_CRL_HAS_EXPIRED: \s-1CRL\s0 has expired\fR"
465
466.IX Item "\fB13 X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: format error in certificate's notBefore field\fR"
467
468.IX Item "\fB14 X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: format error in certificate's notAfter field\fR"
469
470.IX Item "\fB15 X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error in \s-1CRL\s0's lastUpdate field\fR"
471
472.IX Item "\fB16 X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: format error in \s-1CRL\s0's nextUpdate field\fR"
473
474.IX Item "\fB17 X509_V_ERR_OUT_OF_MEM: out of memory\fR"
475
476.IX Item "\fB18 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate\fR"
477
478.IX Item "\fB19 X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in certificate chain\fR"
479
480.IX Item "\fB20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate\fR"
481
482.IX Item "\fB21 X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first certificate\fR"
483
484.IX Item "\fB22 X509_V_ERR_CERT_CHAIN_TOO_LONG: certificate chain too long\fR"
485
486.IX Item "\fB23 X509_V_ERR_CERT_REVOKED: certificate revoked\fR"
487
488.IX Item "\fB24 X509_V_ERR_INVALID_CA: invalid \s-1CA\s0 certificate\fR"
489
490.IX Item "\fB25 X509_V_ERR_PATH_LENGTH_EXCEEDED: path length constraint exceeded\fR"
491
492.IX Item "\fB26 X509_V_ERR_INVALID_PURPOSE: unsupported certificate purpose\fR"
493
494.IX Item "\fB27 X509_V_ERR_CERT_UNTRUSTED: certificate not trusted\fR"
495
496.IX Item "\fB28 X509_V_ERR_CERT_REJECTED: certificate rejected\fR"
497
498.IX Item "\fB29 X509_V_ERR_SUBJECT_ISSUER_MISMATCH: subject issuer mismatch\fR"
499
500.IX Item "\fB30 X509_V_ERR_AKID_SKID_MISMATCH: authority and subject key identifier mismatch\fR"
501
502.IX Item "\fB31 X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: authority and issuer serial number mismatch\fR"
503
504.IX Item "\fB32 X509_V_ERR_KEYUSAGE_NO_CERTSIGN:key usage does not include certificate signing\fR"
505
506.IX Item "\fB50 X509_V_ERR_APPLICATION_VERIFICATION: application verification failure\fR"
507
508.IX Header "BUGS"
509
510.IX Header "SEE ALSO"
511