Update files for OpenSSL-1.0.0f import.
[dragonfly.git] / secure / usr.bin / openssl / man / verify.1
CommitLineData
e3261593 1.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.19)
8b0cefbb
JR
2.\"
3.\" Standard preamble:
4.\" ========================================================================
8b0cefbb 5.de Sp \" Vertical space (when we can't use .PP)
984263bc
MD
6.if t .sp .5v
7.if n .sp
8..
8b0cefbb 9.de Vb \" Begin verbatim text
984263bc
MD
10.ft CW
11.nf
12.ne \\$1
13..
8b0cefbb 14.de Ve \" End verbatim text
984263bc 15.ft R
984263bc
MD
16.fi
17..
8b0cefbb
JR
18.\" Set up some character translations and predefined strings. \*(-- will
19.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
e257b235
PA
20.\" double quote, and \*(R" will give a right double quote. \*(C+ will
21.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
22.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
23.\" nothing in troff, for use with C<>.
24.tr \(*W-
8b0cefbb 25.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
984263bc 26.ie n \{\
8b0cefbb
JR
27. ds -- \(*W-
28. ds PI pi
29. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
30. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
31. ds L" ""
32. ds R" ""
33. ds C` ""
34. ds C' ""
984263bc
MD
35'br\}
36.el\{\
8b0cefbb
JR
37. ds -- \|\(em\|
38. ds PI \(*p
39. ds L" ``
40. ds R" ''
984263bc 41'br\}
8b0cefbb 42.\"
e257b235
PA
43.\" Escape single quotes in literal strings from groff's Unicode transform.
44.ie \n(.g .ds Aq \(aq
45.el .ds Aq '
46.\"
8b0cefbb 47.\" If the F register is turned on, we'll generate index entries on stderr for
01185282 48.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
8b0cefbb
JR
49.\" entries marked with X<> in POD. Of course, you'll have to process the
50.\" output yourself in some meaningful fashion.
e257b235 51.ie \nF \{\
8b0cefbb
JR
52. de IX
53. tm Index:\\$1\t\\n%\t"\\$2"
984263bc 54..
8b0cefbb
JR
55. nr % 0
56. rr F
984263bc 57.\}
e257b235
PA
58.el \{\
59. de IX
60..
61.\}
aac4ff6f 62.\"
8b0cefbb
JR
63.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
64.\" Fear. Run. Save yourself. No user-serviceable parts.
65. \" fudge factors for nroff and troff
984263bc 66.if n \{\
8b0cefbb
JR
67. ds #H 0
68. ds #V .8m
69. ds #F .3m
70. ds #[ \f1
71. ds #] \fP
984263bc
MD
72.\}
73.if t \{\
8b0cefbb
JR
74. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
75. ds #V .6m
76. ds #F 0
77. ds #[ \&
78. ds #] \&
984263bc 79.\}
8b0cefbb 80. \" simple accents for nroff and troff
984263bc 81.if n \{\
8b0cefbb
JR
82. ds ' \&
83. ds ` \&
84. ds ^ \&
85. ds , \&
86. ds ~ ~
87. ds /
984263bc
MD
88.\}
89.if t \{\
8b0cefbb
JR
90. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
91. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
92. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
93. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
94. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
95. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
984263bc 96.\}
8b0cefbb 97. \" troff and (daisy-wheel) nroff accents
984263bc
MD
98.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
99.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
100.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
101.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
102.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
103.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
104.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
105.ds ae a\h'-(\w'a'u*4/10)'e
106.ds Ae A\h'-(\w'A'u*4/10)'E
8b0cefbb 107. \" corrections for vroff
984263bc
MD
108.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
109.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
8b0cefbb 110. \" for low resolution devices (crt and lpr)
984263bc
MD
111.if \n(.H>23 .if \n(.V>19 \
112\{\
8b0cefbb
JR
113. ds : e
114. ds 8 ss
115. ds o a
116. ds d- d\h'-1'\(ga
117. ds D- D\h'-1'\(hy
118. ds th \o'bp'
119. ds Th \o'LP'
120. ds ae ae
121. ds Ae AE
984263bc
MD
122.\}
123.rm #[ #] #H #V #F C
8b0cefbb
JR
124.\" ========================================================================
125.\"
126.IX Title "VERIFY 1"
e3261593 127.TH VERIFY 1 "2012-01-04" "1.0.0f" "OpenSSL"
e257b235
PA
128.\" For nroff, turn off justification. Always turn off hyphenation; it makes
129.\" way too many mistakes in technical documents.
130.if n .ad l
131.nh
984263bc
MD
132.SH "NAME"
133verify \- Utility to verify certificates.
134.SH "SYNOPSIS"
8b0cefbb
JR
135.IX Header "SYNOPSIS"
136\&\fBopenssl\fR \fBverify\fR
984263bc
MD
137[\fB\-CApath directory\fR]
138[\fB\-CAfile file\fR]
139[\fB\-purpose purpose\fR]
01185282
PA
140[\fB\-policy arg\fR]
141[\fB\-ignore_critical\fR]
142[\fB\-crl_check\fR]
143[\fB\-crl_check_all\fR]
144[\fB\-policy_check\fR]
145[\fB\-explicit_policy\fR]
146[\fB\-inhibit_any\fR]
147[\fB\-inhibit_map\fR]
148[\fB\-x509_strict\fR]
149[\fB\-extended_crl\fR]
150[\fB\-use_deltas\fR]
151[\fB\-policy_print\fR]
984263bc
MD
152[\fB\-untrusted file\fR]
153[\fB\-help\fR]
154[\fB\-issuer_checks\fR]
155[\fB\-verbose\fR]
e3cdf75b 156[\fB\-\fR]
984263bc
MD
157[certificates]
158.SH "DESCRIPTION"
8b0cefbb 159.IX Header "DESCRIPTION"
984263bc
MD
160The \fBverify\fR command verifies certificate chains.
161.SH "COMMAND OPTIONS"
8b0cefbb
JR
162.IX Header "COMMAND OPTIONS"
163.IP "\fB\-CApath directory\fR" 4
164.IX Item "-CApath directory"
984263bc
MD
165A directory of trusted certificates. The certificates should have names
166of the form: hash.0 or have symbolic links to them of this
8b0cefbb 167form (\*(L"hash\*(R" is the hashed certificate subject name: see the \fB\-hash\fR option
984263bc
MD
168of the \fBx509\fR utility). Under Unix the \fBc_rehash\fR script will automatically
169create symbolic links to a directory of certificates.
8b0cefbb
JR
170.IP "\fB\-CAfile file\fR" 4
171.IX Item "-CAfile file"
984263bc
MD
172A file of trusted certificates. The file should contain multiple certificates
173in \s-1PEM\s0 format concatenated together.
8b0cefbb
JR
174.IP "\fB\-untrusted file\fR" 4
175.IX Item "-untrusted file"
984263bc 176A file of untrusted certificates. The file should contain multiple certificates
8b0cefbb
JR
177.IP "\fB\-purpose purpose\fR" 4
178.IX Item "-purpose purpose"
984263bc
MD
179the intended use for the certificate. Without this option no chain verification
180will be done. Currently accepted uses are \fBsslclient\fR, \fBsslserver\fR,
8b0cefbb 181\&\fBnssslserver\fR, \fBsmimesign\fR, \fBsmimeencrypt\fR. See the \fB\s-1VERIFY\s0 \s-1OPERATION\s0\fR
984263bc 182section for more information.
8b0cefbb
JR
183.IP "\fB\-help\fR" 4
184.IX Item "-help"
984263bc 185prints out a usage message.
8b0cefbb
JR
186.IP "\fB\-verbose\fR" 4
187.IX Item "-verbose"
984263bc 188print extra information about the operations being performed.
8b0cefbb
JR
189.IP "\fB\-issuer_checks\fR" 4
190.IX Item "-issuer_checks"
984263bc
MD
191print out diagnostics relating to searches for the issuer certificate
192of the current certificate. This shows why each candidate issuer
193certificate was rejected. However the presence of rejection messages
194does not itself imply that anything is wrong: during the normal
195verify process several rejections may take place.
01185282
PA
196.IP "\fB\-policy arg\fR" 4
197.IX Item "-policy arg"
198Enable policy processing and add \fBarg\fR to the user-initial-policy-set
199(see \s-1RFC3280\s0 et al). The policy \fBarg\fR can be an object name an \s-1OID\s0 in numeric
200form. This argument can appear more than once.
201.IP "\fB\-policy_check\fR" 4
202.IX Item "-policy_check"
203Enables certificate policy processing.
204.IP "\fB\-explicit_policy\fR" 4
205.IX Item "-explicit_policy"
206Set policy variable require-explicit-policy (see \s-1RFC3280\s0 et al).
207.IP "\fB\-inhibit_any\fR" 4
208.IX Item "-inhibit_any"
209Set policy variable inhibit-any-policy (see \s-1RFC3280\s0 et al).
210.IP "\fB\-inhibit_map\fR" 4
211.IX Item "-inhibit_map"
212Set policy variable inhibit-policy-mapping (see \s-1RFC3280\s0 et al).
213.IP "\fB\-policy_print\fR" 4
214.IX Item "-policy_print"
215Print out diagnostics, related to policy checking
216.IP "\fB\-crl_check\fR" 4
217.IX Item "-crl_check"
218Checks end entity certificate validity by attempting to lookup a valid \s-1CRL\s0.
219If a valid \s-1CRL\s0 cannot be found an error occurs.
220.IP "\fB\-crl_check_all\fR" 4
221.IX Item "-crl_check_all"
222Checks the validity of \fBall\fR certificates in the chain by attempting
223to lookup valid CRLs.
224.IP "\fB\-ignore_critical\fR" 4
225.IX Item "-ignore_critical"
226Normally if an unhandled critical extension is present which is not
227supported by OpenSSL the certificate is rejected (as required by
228\&\s-1RFC3280\s0 et al). If this option is set critical extensions are
229ignored.
230.IP "\fB\-x509_strict\fR" 4
231.IX Item "-x509_strict"
232Disable workarounds for broken certificates which have to be disabled
233for strict X.509 compliance.
234.IP "\fB\-extended_crl\fR" 4
235.IX Item "-extended_crl"
236Enable extended \s-1CRL\s0 features such as indirect CRLs and alternate \s-1CRL\s0
237signing keys.
238.IP "\fB\-use_deltas\fR" 4
239.IX Item "-use_deltas"
240Enable support for delta CRLs.
241.IP "\fB\-check_ss_sig\fR" 4
242.IX Item "-check_ss_sig"
243Verify the signature on the self-signed root \s-1CA\s0. This is disabled by default
244because it doesn't add any security.
8b0cefbb
JR
245.IP "\fB\-\fR" 4
246.IX Item "-"
984263bc
MD
247marks the last option. All arguments following this are assumed to be
248certificate files. This is useful if the first certificate filename begins
e3cdf75b 249with a \fB\-\fR.
8b0cefbb
JR
250.IP "\fBcertificates\fR" 4
251.IX Item "certificates"
984263bc
MD
252one or more certificates to verify. If no certificate filenames are included
253then an attempt is made to read a certificate from standard input. They should
254all be in \s-1PEM\s0 format.
255.SH "VERIFY OPERATION"
8b0cefbb
JR
256.IX Header "VERIFY OPERATION"
257The \fBverify\fR program uses the same functions as the internal \s-1SSL\s0 and S/MIME
984263bc
MD
258verification, therefore this description applies to these verify operations
259too.
260.PP
261There is one crucial difference between the verify operations performed
262by the \fBverify\fR program: wherever possible an attempt is made to continue
263after an error whereas normally the verify operation would halt on the
264first error. This allows all the problems with a certificate chain to be
265determined.
266.PP
267The verify operation consists of a number of separate steps.
268.PP
269Firstly a certificate chain is built up starting from the supplied certificate
8b0cefbb 270and ending in the root \s-1CA\s0. It is an error if the whole chain cannot be built
984263bc
MD
271up. The chain is built up by looking up the issuers certificate of the current
272certificate. If a certificate is found which is its own issuer it is assumed
8b0cefbb 273to be the root \s-1CA\s0.
984263bc 274.PP
8b0cefbb 275The process of 'looking up the issuers certificate' itself involves a number
984263bc
MD
276of steps. In versions of OpenSSL before 0.9.5a the first certificate whose
277subject name matched the issuer of the current certificate was assumed to be
278the issuers certificate. In OpenSSL 0.9.6 and later all certificates
279whose subject name matches the issuer name of the current certificate are
280subject to further tests. The relevant authority key identifier components
281of the current certificate (if present) must match the subject key identifier
282(if present) and issuer and serial number of the candidate issuer, in addition
283the keyUsage extension of the candidate issuer (if present) must permit
284certificate signing.
285.PP
286The lookup first looks in the list of untrusted certificates and if no match
8b0cefbb 287is found the remaining lookups are from the trusted certificates. The root \s-1CA\s0
984263bc
MD
288is always looked up in the trusted certificate list: if the certificate to
289verify is a root certificate then an exact match must be found in the trusted
290list.
291.PP
292The second operation is to check every untrusted certificate's extensions for
293consistency with the supplied purpose. If the \fB\-purpose\fR option is not included
294then no checks are done. The supplied or \*(L"leaf\*(R" certificate must have extensions
295compatible with the supplied purpose and all other certificates must also be valid
8b0cefbb
JR
296\&\s-1CA\s0 certificates. The precise extensions required are described in more detail in
297the \fB\s-1CERTIFICATE\s0 \s-1EXTENSIONS\s0\fR section of the \fBx509\fR utility.
984263bc 298.PP
8b0cefbb
JR
299The third operation is to check the trust settings on the root \s-1CA\s0. The root
300\&\s-1CA\s0 should be trusted for the supplied purpose. For compatibility with previous
984263bc 301versions of SSLeay and OpenSSL a certificate with no trust settings is considered
e257b235 302to be valid for all purposes.
984263bc
MD
303.PP
304The final operation is to check the validity of the certificate chain. The validity
305period is checked against the current system time and the notBefore and notAfter
306dates in the certificate. The certificate signatures are also checked at this
307point.
308.PP
309If all operations complete successfully then certificate is considered valid. If
310any operation fails then the certificate is not valid.
311.SH "DIAGNOSTICS"
8b0cefbb 312.IX Header "DIAGNOSTICS"
984263bc
MD
313When a verify operation fails the output messages can be somewhat cryptic. The
314general form of the error message is:
315.PP
316.Vb 2
317\& server.pem: /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit)
318\& error 24 at 1 depth lookup:invalid CA certificate
319.Ve
8b0cefbb 320.PP
984263bc
MD
321The first line contains the name of the certificate being verified followed by
322the subject name of the certificate. The second line contains the error number
323and the depth. The depth is number of the certificate being verified when a
324problem was detected starting with zero for the certificate being verified itself
8b0cefbb 325then 1 for the \s-1CA\s0 that signed the certificate and so on. Finally a text version
984263bc
MD
326of the error number is presented.
327.PP
328An exhaustive list of the error codes and messages is shown below, this also
329includes the name of the error code as defined in the header file x509_vfy.h
330Some of the error codes are defined but never returned: these are described
331as \*(L"unused\*(R".
8b0cefbb
JR
332.IP "\fB0 X509_V_OK: ok\fR" 4
333.IX Item "0 X509_V_OK: ok"
984263bc 334the operation was successful.
8b0cefbb
JR
335.IP "\fB2 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate\fR" 4
336.IX Item "2 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate"
01185282
PA
337the issuer certificate of a looked up certificate could not be found. This
338normally means the list of trusted certificates is not complete.
aac4ff6f
PA
339.IP "\fB3 X509_V_ERR_UNABLE_TO_GET_CRL: unable to get certificate \s-1CRL\s0\fR" 4
340.IX Item "3 X509_V_ERR_UNABLE_TO_GET_CRL: unable to get certificate CRL"
01185282 341the \s-1CRL\s0 of a certificate could not be found.
8b0cefbb
JR
342.IP "\fB4 X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: unable to decrypt certificate's signature\fR" 4
343.IX Item "4 X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: unable to decrypt certificate's signature"
984263bc
MD
344the certificate signature could not be decrypted. This means that the actual signature value
345could not be determined rather than it not matching the expected value, this is only
346meaningful for \s-1RSA\s0 keys.
8b0cefbb
JR
347.IP "\fB5 X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt \s-1CRL\s0's signature\fR" 4
348.IX Item "5 X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt CRL's signature"
984263bc
MD
349the \s-1CRL\s0 signature could not be decrypted: this means that the actual signature value
350could not be determined rather than it not matching the expected value. Unused.
8b0cefbb
JR
351.IP "\fB6 X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: unable to decode issuer public key\fR" 4
352.IX Item "6 X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: unable to decode issuer public key"
984263bc 353the public key in the certificate SubjectPublicKeyInfo could not be read.
8b0cefbb
JR
354.IP "\fB7 X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure\fR" 4
355.IX Item "7 X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure"
984263bc 356the signature of the certificate is invalid.
8b0cefbb
JR
357.IP "\fB8 X509_V_ERR_CRL_SIGNATURE_FAILURE: \s-1CRL\s0 signature failure\fR" 4
358.IX Item "8 X509_V_ERR_CRL_SIGNATURE_FAILURE: CRL signature failure"
01185282 359the signature of the certificate is invalid.
8b0cefbb
JR
360.IP "\fB9 X509_V_ERR_CERT_NOT_YET_VALID: certificate is not yet valid\fR" 4
361.IX Item "9 X509_V_ERR_CERT_NOT_YET_VALID: certificate is not yet valid"
984263bc 362the certificate is not yet valid: the notBefore date is after the current time.
8b0cefbb
JR
363.IP "\fB10 X509_V_ERR_CERT_HAS_EXPIRED: certificate has expired\fR" 4
364.IX Item "10 X509_V_ERR_CERT_HAS_EXPIRED: certificate has expired"
984263bc 365the certificate has expired: that is the notAfter date is before the current time.
8b0cefbb
JR
366.IP "\fB11 X509_V_ERR_CRL_NOT_YET_VALID: \s-1CRL\s0 is not yet valid\fR" 4
367.IX Item "11 X509_V_ERR_CRL_NOT_YET_VALID: CRL is not yet valid"
01185282 368the \s-1CRL\s0 is not yet valid.
8b0cefbb
JR
369.IP "\fB12 X509_V_ERR_CRL_HAS_EXPIRED: \s-1CRL\s0 has expired\fR" 4
370.IX Item "12 X509_V_ERR_CRL_HAS_EXPIRED: CRL has expired"
01185282 371the \s-1CRL\s0 has expired.
8b0cefbb
JR
372.IP "\fB13 X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: format error in certificate's notBefore field\fR" 4
373.IX Item "13 X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: format error in certificate's notBefore field"
984263bc 374the certificate notBefore field contains an invalid time.
8b0cefbb
JR
375.IP "\fB14 X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: format error in certificate's notAfter field\fR" 4
376.IX Item "14 X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: format error in certificate's notAfter field"
984263bc 377the certificate notAfter field contains an invalid time.
8b0cefbb
JR
378.IP "\fB15 X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error in \s-1CRL\s0's lastUpdate field\fR" 4
379.IX Item "15 X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error in CRL's lastUpdate field"
01185282 380the \s-1CRL\s0 lastUpdate field contains an invalid time.
8b0cefbb
JR
381.IP "\fB16 X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: format error in \s-1CRL\s0's nextUpdate field\fR" 4
382.IX Item "16 X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: format error in CRL's nextUpdate field"
01185282 383the \s-1CRL\s0 nextUpdate field contains an invalid time.
8b0cefbb
JR
384.IP "\fB17 X509_V_ERR_OUT_OF_MEM: out of memory\fR" 4
385.IX Item "17 X509_V_ERR_OUT_OF_MEM: out of memory"
984263bc 386an error occurred trying to allocate memory. This should never happen.
8b0cefbb
JR
387.IP "\fB18 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate\fR" 4
388.IX Item "18 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate"
984263bc
MD
389the passed certificate is self signed and the same certificate cannot be found in the list of
390trusted certificates.
8b0cefbb
JR
391.IP "\fB19 X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in certificate chain\fR" 4
392.IX Item "19 X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in certificate chain"
984263bc
MD
393the certificate chain could be built up using the untrusted certificates but the root could not
394be found locally.
8b0cefbb
JR
395.IP "\fB20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate\fR" 4
396.IX Item "20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate"
01185282
PA
397the issuer certificate could not be found: this occurs if the issuer
398certificate of an untrusted certificate cannot be found.
8b0cefbb
JR
399.IP "\fB21 X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first certificate\fR" 4
400.IX Item "21 X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first certificate"
984263bc
MD
401no signatures could be verified because the chain contains only one certificate and it is not
402self signed.
8b0cefbb
JR
403.IP "\fB22 X509_V_ERR_CERT_CHAIN_TOO_LONG: certificate chain too long\fR" 4
404.IX Item "22 X509_V_ERR_CERT_CHAIN_TOO_LONG: certificate chain too long"
984263bc 405the certificate chain length is greater than the supplied maximum depth. Unused.
8b0cefbb
JR
406.IP "\fB23 X509_V_ERR_CERT_REVOKED: certificate revoked\fR" 4
407.IX Item "23 X509_V_ERR_CERT_REVOKED: certificate revoked"
01185282 408the certificate has been revoked.
8b0cefbb
JR
409.IP "\fB24 X509_V_ERR_INVALID_CA: invalid \s-1CA\s0 certificate\fR" 4
410.IX Item "24 X509_V_ERR_INVALID_CA: invalid CA certificate"
984263bc
MD
411a \s-1CA\s0 certificate is invalid. Either it is not a \s-1CA\s0 or its extensions are not consistent
412with the supplied purpose.
8b0cefbb
JR
413.IP "\fB25 X509_V_ERR_PATH_LENGTH_EXCEEDED: path length constraint exceeded\fR" 4
414.IX Item "25 X509_V_ERR_PATH_LENGTH_EXCEEDED: path length constraint exceeded"
984263bc 415the basicConstraints pathlength parameter has been exceeded.
8b0cefbb
JR
416.IP "\fB26 X509_V_ERR_INVALID_PURPOSE: unsupported certificate purpose\fR" 4
417.IX Item "26 X509_V_ERR_INVALID_PURPOSE: unsupported certificate purpose"
984263bc 418the supplied certificate cannot be used for the specified purpose.
8b0cefbb
JR
419.IP "\fB27 X509_V_ERR_CERT_UNTRUSTED: certificate not trusted\fR" 4
420.IX Item "27 X509_V_ERR_CERT_UNTRUSTED: certificate not trusted"
984263bc 421the root \s-1CA\s0 is not marked as trusted for the specified purpose.
8b0cefbb
JR
422.IP "\fB28 X509_V_ERR_CERT_REJECTED: certificate rejected\fR" 4
423.IX Item "28 X509_V_ERR_CERT_REJECTED: certificate rejected"
984263bc 424the root \s-1CA\s0 is marked to reject the specified purpose.
8b0cefbb
JR
425.IP "\fB29 X509_V_ERR_SUBJECT_ISSUER_MISMATCH: subject issuer mismatch\fR" 4
426.IX Item "29 X509_V_ERR_SUBJECT_ISSUER_MISMATCH: subject issuer mismatch"
984263bc
MD
427the current candidate issuer certificate was rejected because its subject name
428did not match the issuer name of the current certificate. Only displayed when
429the \fB\-issuer_checks\fR option is set.
8b0cefbb
JR
430.IP "\fB30 X509_V_ERR_AKID_SKID_MISMATCH: authority and subject key identifier mismatch\fR" 4
431.IX Item "30 X509_V_ERR_AKID_SKID_MISMATCH: authority and subject key identifier mismatch"
984263bc
MD
432the current candidate issuer certificate was rejected because its subject key
433identifier was present and did not match the authority key identifier current
434certificate. Only displayed when the \fB\-issuer_checks\fR option is set.
8b0cefbb
JR
435.IP "\fB31 X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: authority and issuer serial number mismatch\fR" 4
436.IX Item "31 X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: authority and issuer serial number mismatch"
984263bc
MD
437the current candidate issuer certificate was rejected because its issuer name
438and serial number was present and did not match the authority key identifier
439of the current certificate. Only displayed when the \fB\-issuer_checks\fR option is set.
8b0cefbb
JR
440.IP "\fB32 X509_V_ERR_KEYUSAGE_NO_CERTSIGN:key usage does not include certificate signing\fR" 4
441.IX Item "32 X509_V_ERR_KEYUSAGE_NO_CERTSIGN:key usage does not include certificate signing"
984263bc
MD
442the current candidate issuer certificate was rejected because its keyUsage extension
443does not permit certificate signing.
8b0cefbb
JR
444.IP "\fB50 X509_V_ERR_APPLICATION_VERIFICATION: application verification failure\fR" 4
445.IX Item "50 X509_V_ERR_APPLICATION_VERIFICATION: application verification failure"
984263bc
MD
446an application specific error. Unused.
447.SH "BUGS"
8b0cefbb 448.IX Header "BUGS"
984263bc 449Although the issuer checks are a considerably improvement over the old technique they still
8b0cefbb 450suffer from limitations in the underlying X509_LOOKUP \s-1API\s0. One consequence of this is that
984263bc 451trusted certificates with matching subject name must either appear in a file (as specified by the
8b0cefbb 452\&\fB\-CAfile\fR option) or a directory (as specified by \fB\-CApath\fR. If they occur in both then only
984263bc
MD
453the certificates in the file will be recognised.
454.PP
455Previous versions of OpenSSL assume certificates with matching subject name are identical and
456mishandled them.
01185282
PA
457.PP
458Previous versions of this documentation swapped the meaning of the
459\&\fBX509_V_ERR_UNABLE_TO_GET_ISSUER_CERT\fR and
460\&\fB20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY\fR error codes.
984263bc 461.SH "SEE ALSO"
e3cdf75b 462.IX Header "SEE ALSO"
8b0cefbb 463\&\fIx509\fR\|(1)