Update files for OpenSSL-1.0.1g import.
[dragonfly.git] / secure / usr.bin / openssl / man / verify.1
CommitLineData
11c7e1cd 1.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.20)
8b0cefbb
JR
2.\"
3.\" Standard preamble:
4.\" ========================================================================
8b0cefbb 5.de Sp \" Vertical space (when we can't use .PP)
984263bc
MD
6.if t .sp .5v
7.if n .sp
8..
8b0cefbb 9.de Vb \" Begin verbatim text
984263bc
MD
10.ft CW
11.nf
12.ne \\$1
13..
8b0cefbb 14.de Ve \" End verbatim text
984263bc 15.ft R
984263bc
MD
16.fi
17..
8b0cefbb
JR
18.\" Set up some character translations and predefined strings. \*(-- will
19.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
e257b235
PA
20.\" double quote, and \*(R" will give a right double quote. \*(C+ will
21.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
22.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
23.\" nothing in troff, for use with C<>.
24.tr \(*W-
8b0cefbb 25.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
984263bc 26.ie n \{\
8b0cefbb
JR
27. ds -- \(*W-
28. ds PI pi
29. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
30. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
31. ds L" ""
32. ds R" ""
33. ds C` ""
34. ds C' ""
984263bc
MD
35'br\}
36.el\{\
8b0cefbb
JR
37. ds -- \|\(em\|
38. ds PI \(*p
39. ds L" ``
40. ds R" ''
984263bc 41'br\}
8b0cefbb 42.\"
e257b235
PA
43.\" Escape single quotes in literal strings from groff's Unicode transform.
44.ie \n(.g .ds Aq \(aq
45.el .ds Aq '
46.\"
8b0cefbb 47.\" If the F register is turned on, we'll generate index entries on stderr for
01185282 48.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
8b0cefbb
JR
49.\" entries marked with X<> in POD. Of course, you'll have to process the
50.\" output yourself in some meaningful fashion.
e257b235 51.ie \nF \{\
8b0cefbb
JR
52. de IX
53. tm Index:\\$1\t\\n%\t"\\$2"
984263bc 54..
8b0cefbb
JR
55. nr % 0
56. rr F
984263bc 57.\}
e257b235
PA
58.el \{\
59. de IX
60..
61.\}
aac4ff6f 62.\"
8b0cefbb
JR
63.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
64.\" Fear. Run. Save yourself. No user-serviceable parts.
65. \" fudge factors for nroff and troff
984263bc 66.if n \{\
8b0cefbb
JR
67. ds #H 0
68. ds #V .8m
69. ds #F .3m
70. ds #[ \f1
71. ds #] \fP
984263bc
MD
72.\}
73.if t \{\
8b0cefbb
JR
74. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
75. ds #V .6m
76. ds #F 0
77. ds #[ \&
78. ds #] \&
984263bc 79.\}
8b0cefbb 80. \" simple accents for nroff and troff
984263bc 81.if n \{\
8b0cefbb
JR
82. ds ' \&
83. ds ` \&
84. ds ^ \&
85. ds , \&
86. ds ~ ~
87. ds /
984263bc
MD
88.\}
89.if t \{\
8b0cefbb
JR
90. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
91. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
92. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
93. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
94. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
95. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
984263bc 96.\}
8b0cefbb 97. \" troff and (daisy-wheel) nroff accents
984263bc
MD
98.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
99.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
100.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
101.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
102.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
103.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
104.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
105.ds ae a\h'-(\w'a'u*4/10)'e
106.ds Ae A\h'-(\w'A'u*4/10)'E
8b0cefbb 107. \" corrections for vroff
984263bc
MD
108.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
109.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
8b0cefbb 110. \" for low resolution devices (crt and lpr)
984263bc
MD
111.if \n(.H>23 .if \n(.V>19 \
112\{\
8b0cefbb
JR
113. ds : e
114. ds 8 ss
115. ds o a
116. ds d- d\h'-1'\(ga
117. ds D- D\h'-1'\(hy
118. ds th \o'bp'
119. ds Th \o'LP'
120. ds ae ae
121. ds Ae AE
984263bc
MD
122.\}
123.rm #[ #] #H #V #F C
8b0cefbb
JR
124.\" ========================================================================
125.\"
126.IX Title "VERIFY 1"
11c7e1cd 127.TH VERIFY 1 "2014-04-07" "1.0.1g" "OpenSSL"
e257b235
PA
128.\" For nroff, turn off justification. Always turn off hyphenation; it makes
129.\" way too many mistakes in technical documents.
130.if n .ad l
131.nh
984263bc
MD
132.SH "NAME"
133verify \- Utility to verify certificates.
134.SH "SYNOPSIS"
8b0cefbb
JR
135.IX Header "SYNOPSIS"
136\&\fBopenssl\fR \fBverify\fR
984263bc
MD
137[\fB\-CApath directory\fR]
138[\fB\-CAfile file\fR]
139[\fB\-purpose purpose\fR]
01185282
PA
140[\fB\-policy arg\fR]
141[\fB\-ignore_critical\fR]
142[\fB\-crl_check\fR]
143[\fB\-crl_check_all\fR]
144[\fB\-policy_check\fR]
145[\fB\-explicit_policy\fR]
146[\fB\-inhibit_any\fR]
147[\fB\-inhibit_map\fR]
148[\fB\-x509_strict\fR]
149[\fB\-extended_crl\fR]
150[\fB\-use_deltas\fR]
151[\fB\-policy_print\fR]
984263bc
MD
152[\fB\-untrusted file\fR]
153[\fB\-help\fR]
154[\fB\-issuer_checks\fR]
155[\fB\-verbose\fR]
e3cdf75b 156[\fB\-\fR]
984263bc
MD
157[certificates]
158.SH "DESCRIPTION"
8b0cefbb 159.IX Header "DESCRIPTION"
984263bc
MD
160The \fBverify\fR command verifies certificate chains.
161.SH "COMMAND OPTIONS"
8b0cefbb
JR
162.IX Header "COMMAND OPTIONS"
163.IP "\fB\-CApath directory\fR" 4
164.IX Item "-CApath directory"
984263bc
MD
165A directory of trusted certificates. The certificates should have names
166of the form: hash.0 or have symbolic links to them of this
8b0cefbb 167form (\*(L"hash\*(R" is the hashed certificate subject name: see the \fB\-hash\fR option
984263bc
MD
168of the \fBx509\fR utility). Under Unix the \fBc_rehash\fR script will automatically
169create symbolic links to a directory of certificates.
8b0cefbb
JR
170.IP "\fB\-CAfile file\fR" 4
171.IX Item "-CAfile file"
984263bc
MD
172A file of trusted certificates. The file should contain multiple certificates
173in \s-1PEM\s0 format concatenated together.
8b0cefbb
JR
174.IP "\fB\-untrusted file\fR" 4
175.IX Item "-untrusted file"
984263bc 176A file of untrusted certificates. The file should contain multiple certificates
58e4c0cf 177in \s-1PEM\s0 format concatenated together.
8b0cefbb
JR
178.IP "\fB\-purpose purpose\fR" 4
179.IX Item "-purpose purpose"
58e4c0cf
PA
180The intended use for the certificate. If this option is not specified,
181\&\fBverify\fR will not consider certificate purpose during chain verification.
182Currently accepted uses are \fBsslclient\fR, \fBsslserver\fR, \fBnssslserver\fR,
183\&\fBsmimesign\fR, \fBsmimeencrypt\fR. See the \fB\s-1VERIFY\s0 \s-1OPERATION\s0\fR section for more
184information.
8b0cefbb
JR
185.IP "\fB\-help\fR" 4
186.IX Item "-help"
58e4c0cf 187Print out a usage message.
8b0cefbb
JR
188.IP "\fB\-verbose\fR" 4
189.IX Item "-verbose"
58e4c0cf 190Print extra information about the operations being performed.
8b0cefbb
JR
191.IP "\fB\-issuer_checks\fR" 4
192.IX Item "-issuer_checks"
58e4c0cf
PA
193Print out diagnostics relating to searches for the issuer certificate of the
194current certificate. This shows why each candidate issuer certificate was
195rejected. The presence of rejection messages does not itself imply that
196anything is wrong; during the normal verification process, several
197rejections may take place.
01185282
PA
198.IP "\fB\-policy arg\fR" 4
199.IX Item "-policy arg"
58e4c0cf
PA
200Enable policy processing and add \fBarg\fR to the user-initial-policy-set (see
201\&\s-1RFC5280\s0). The policy \fBarg\fR can be an object name an \s-1OID\s0 in numeric form.
202This argument can appear more than once.
01185282
PA
203.IP "\fB\-policy_check\fR" 4
204.IX Item "-policy_check"
205Enables certificate policy processing.
206.IP "\fB\-explicit_policy\fR" 4
207.IX Item "-explicit_policy"
58e4c0cf 208Set policy variable require-explicit-policy (see \s-1RFC5280\s0).
01185282
PA
209.IP "\fB\-inhibit_any\fR" 4
210.IX Item "-inhibit_any"
58e4c0cf 211Set policy variable inhibit-any-policy (see \s-1RFC5280\s0).
01185282
PA
212.IP "\fB\-inhibit_map\fR" 4
213.IX Item "-inhibit_map"
58e4c0cf 214Set policy variable inhibit-policy-mapping (see \s-1RFC5280\s0).
01185282
PA
215.IP "\fB\-policy_print\fR" 4
216.IX Item "-policy_print"
58e4c0cf 217Print out diagnostics related to policy processing.
01185282
PA
218.IP "\fB\-crl_check\fR" 4
219.IX Item "-crl_check"
58e4c0cf 220Checks end entity certificate validity by attempting to look up a valid \s-1CRL\s0.
01185282
PA
221If a valid \s-1CRL\s0 cannot be found an error occurs.
222.IP "\fB\-crl_check_all\fR" 4
223.IX Item "-crl_check_all"
224Checks the validity of \fBall\fR certificates in the chain by attempting
58e4c0cf 225to look up valid CRLs.
01185282
PA
226.IP "\fB\-ignore_critical\fR" 4
227.IX Item "-ignore_critical"
228Normally if an unhandled critical extension is present which is not
58e4c0cf
PA
229supported by OpenSSL the certificate is rejected (as required by \s-1RFC5280\s0).
230If this option is set critical extensions are ignored.
01185282
PA
231.IP "\fB\-x509_strict\fR" 4
232.IX Item "-x509_strict"
58e4c0cf
PA
233For strict X.509 compliance, disable non-compliant workarounds for broken
234certificates.
01185282
PA
235.IP "\fB\-extended_crl\fR" 4
236.IX Item "-extended_crl"
237Enable extended \s-1CRL\s0 features such as indirect CRLs and alternate \s-1CRL\s0
238signing keys.
239.IP "\fB\-use_deltas\fR" 4
240.IX Item "-use_deltas"
241Enable support for delta CRLs.
242.IP "\fB\-check_ss_sig\fR" 4
243.IX Item "-check_ss_sig"
244Verify the signature on the self-signed root \s-1CA\s0. This is disabled by default
245because it doesn't add any security.
8b0cefbb
JR
246.IP "\fB\-\fR" 4
247.IX Item "-"
58e4c0cf 248Indicates the last option. All arguments following this are assumed to be
984263bc 249certificate files. This is useful if the first certificate filename begins
e3cdf75b 250with a \fB\-\fR.
8b0cefbb
JR
251.IP "\fBcertificates\fR" 4
252.IX Item "certificates"
58e4c0cf
PA
253One or more certificates to verify. If no certificates are given, \fBverify\fR
254will attempt to read a certificate from standard input. Certificates must be
255in \s-1PEM\s0 format.
984263bc 256.SH "VERIFY OPERATION"
8b0cefbb
JR
257.IX Header "VERIFY OPERATION"
258The \fBverify\fR program uses the same functions as the internal \s-1SSL\s0 and S/MIME
984263bc
MD
259verification, therefore this description applies to these verify operations
260too.
261.PP
262There is one crucial difference between the verify operations performed
263by the \fBverify\fR program: wherever possible an attempt is made to continue
264after an error whereas normally the verify operation would halt on the
265first error. This allows all the problems with a certificate chain to be
266determined.
267.PP
268The verify operation consists of a number of separate steps.
269.PP
270Firstly a certificate chain is built up starting from the supplied certificate
8b0cefbb 271and ending in the root \s-1CA\s0. It is an error if the whole chain cannot be built
984263bc
MD
272up. The chain is built up by looking up the issuers certificate of the current
273certificate. If a certificate is found which is its own issuer it is assumed
8b0cefbb 274to be the root \s-1CA\s0.
984263bc 275.PP
8b0cefbb 276The process of 'looking up the issuers certificate' itself involves a number
984263bc
MD
277of steps. In versions of OpenSSL before 0.9.5a the first certificate whose
278subject name matched the issuer of the current certificate was assumed to be
279the issuers certificate. In OpenSSL 0.9.6 and later all certificates
280whose subject name matches the issuer name of the current certificate are
281subject to further tests. The relevant authority key identifier components
282of the current certificate (if present) must match the subject key identifier
283(if present) and issuer and serial number of the candidate issuer, in addition
284the keyUsage extension of the candidate issuer (if present) must permit
285certificate signing.
286.PP
287The lookup first looks in the list of untrusted certificates and if no match
8b0cefbb 288is found the remaining lookups are from the trusted certificates. The root \s-1CA\s0
984263bc
MD
289is always looked up in the trusted certificate list: if the certificate to
290verify is a root certificate then an exact match must be found in the trusted
291list.
292.PP
293The second operation is to check every untrusted certificate's extensions for
294consistency with the supplied purpose. If the \fB\-purpose\fR option is not included
295then no checks are done. The supplied or \*(L"leaf\*(R" certificate must have extensions
296compatible with the supplied purpose and all other certificates must also be valid
8b0cefbb
JR
297\&\s-1CA\s0 certificates. The precise extensions required are described in more detail in
298the \fB\s-1CERTIFICATE\s0 \s-1EXTENSIONS\s0\fR section of the \fBx509\fR utility.
984263bc 299.PP
8b0cefbb
JR
300The third operation is to check the trust settings on the root \s-1CA\s0. The root
301\&\s-1CA\s0 should be trusted for the supplied purpose. For compatibility with previous
984263bc 302versions of SSLeay and OpenSSL a certificate with no trust settings is considered
e257b235 303to be valid for all purposes.
984263bc
MD
304.PP
305The final operation is to check the validity of the certificate chain. The validity
306period is checked against the current system time and the notBefore and notAfter
307dates in the certificate. The certificate signatures are also checked at this
308point.
309.PP
310If all operations complete successfully then certificate is considered valid. If
311any operation fails then the certificate is not valid.
312.SH "DIAGNOSTICS"
8b0cefbb 313.IX Header "DIAGNOSTICS"
984263bc
MD
314When a verify operation fails the output messages can be somewhat cryptic. The
315general form of the error message is:
316.PP
317.Vb 2
318\& server.pem: /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit)
319\& error 24 at 1 depth lookup:invalid CA certificate
320.Ve
8b0cefbb 321.PP
984263bc
MD
322The first line contains the name of the certificate being verified followed by
323the subject name of the certificate. The second line contains the error number
324and the depth. The depth is number of the certificate being verified when a
325problem was detected starting with zero for the certificate being verified itself
8b0cefbb 326then 1 for the \s-1CA\s0 that signed the certificate and so on. Finally a text version
984263bc
MD
327of the error number is presented.
328.PP
329An exhaustive list of the error codes and messages is shown below, this also
330includes the name of the error code as defined in the header file x509_vfy.h
331Some of the error codes are defined but never returned: these are described
332as \*(L"unused\*(R".
8b0cefbb
JR
333.IP "\fB0 X509_V_OK: ok\fR" 4
334.IX Item "0 X509_V_OK: ok"
984263bc 335the operation was successful.
8b0cefbb
JR
336.IP "\fB2 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate\fR" 4
337.IX Item "2 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate"
01185282
PA
338the issuer certificate of a looked up certificate could not be found. This
339normally means the list of trusted certificates is not complete.
aac4ff6f
PA
340.IP "\fB3 X509_V_ERR_UNABLE_TO_GET_CRL: unable to get certificate \s-1CRL\s0\fR" 4
341.IX Item "3 X509_V_ERR_UNABLE_TO_GET_CRL: unable to get certificate CRL"
01185282 342the \s-1CRL\s0 of a certificate could not be found.
8b0cefbb
JR
343.IP "\fB4 X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: unable to decrypt certificate's signature\fR" 4
344.IX Item "4 X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: unable to decrypt certificate's signature"
984263bc
MD
345the certificate signature could not be decrypted. This means that the actual signature value
346could not be determined rather than it not matching the expected value, this is only
347meaningful for \s-1RSA\s0 keys.
8b0cefbb
JR
348.IP "\fB5 X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt \s-1CRL\s0's signature\fR" 4
349.IX Item "5 X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt CRL's signature"
984263bc
MD
350the \s-1CRL\s0 signature could not be decrypted: this means that the actual signature value
351could not be determined rather than it not matching the expected value. Unused.
8b0cefbb
JR
352.IP "\fB6 X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: unable to decode issuer public key\fR" 4
353.IX Item "6 X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: unable to decode issuer public key"
984263bc 354the public key in the certificate SubjectPublicKeyInfo could not be read.
8b0cefbb
JR
355.IP "\fB7 X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure\fR" 4
356.IX Item "7 X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure"
984263bc 357the signature of the certificate is invalid.
8b0cefbb
JR
358.IP "\fB8 X509_V_ERR_CRL_SIGNATURE_FAILURE: \s-1CRL\s0 signature failure\fR" 4
359.IX Item "8 X509_V_ERR_CRL_SIGNATURE_FAILURE: CRL signature failure"
01185282 360the signature of the certificate is invalid.
8b0cefbb
JR
361.IP "\fB9 X509_V_ERR_CERT_NOT_YET_VALID: certificate is not yet valid\fR" 4
362.IX Item "9 X509_V_ERR_CERT_NOT_YET_VALID: certificate is not yet valid"
984263bc 363the certificate is not yet valid: the notBefore date is after the current time.
8b0cefbb
JR
364.IP "\fB10 X509_V_ERR_CERT_HAS_EXPIRED: certificate has expired\fR" 4
365.IX Item "10 X509_V_ERR_CERT_HAS_EXPIRED: certificate has expired"
984263bc 366the certificate has expired: that is the notAfter date is before the current time.
8b0cefbb
JR
367.IP "\fB11 X509_V_ERR_CRL_NOT_YET_VALID: \s-1CRL\s0 is not yet valid\fR" 4
368.IX Item "11 X509_V_ERR_CRL_NOT_YET_VALID: CRL is not yet valid"
01185282 369the \s-1CRL\s0 is not yet valid.
8b0cefbb
JR
370.IP "\fB12 X509_V_ERR_CRL_HAS_EXPIRED: \s-1CRL\s0 has expired\fR" 4
371.IX Item "12 X509_V_ERR_CRL_HAS_EXPIRED: CRL has expired"
01185282 372the \s-1CRL\s0 has expired.
8b0cefbb
JR
373.IP "\fB13 X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: format error in certificate's notBefore field\fR" 4
374.IX Item "13 X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: format error in certificate's notBefore field"
984263bc 375the certificate notBefore field contains an invalid time.
8b0cefbb
JR
376.IP "\fB14 X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: format error in certificate's notAfter field\fR" 4
377.IX Item "14 X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: format error in certificate's notAfter field"
984263bc 378the certificate notAfter field contains an invalid time.
8b0cefbb
JR
379.IP "\fB15 X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error in \s-1CRL\s0's lastUpdate field\fR" 4
380.IX Item "15 X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error in CRL's lastUpdate field"
01185282 381the \s-1CRL\s0 lastUpdate field contains an invalid time.
8b0cefbb
JR
382.IP "\fB16 X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: format error in \s-1CRL\s0's nextUpdate field\fR" 4
383.IX Item "16 X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: format error in CRL's nextUpdate field"
01185282 384the \s-1CRL\s0 nextUpdate field contains an invalid time.
8b0cefbb
JR
385.IP "\fB17 X509_V_ERR_OUT_OF_MEM: out of memory\fR" 4
386.IX Item "17 X509_V_ERR_OUT_OF_MEM: out of memory"
984263bc 387an error occurred trying to allocate memory. This should never happen.
8b0cefbb
JR
388.IP "\fB18 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate\fR" 4
389.IX Item "18 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate"
984263bc
MD
390the passed certificate is self signed and the same certificate cannot be found in the list of
391trusted certificates.
8b0cefbb
JR
392.IP "\fB19 X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in certificate chain\fR" 4
393.IX Item "19 X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in certificate chain"
984263bc
MD
394the certificate chain could be built up using the untrusted certificates but the root could not
395be found locally.
8b0cefbb
JR
396.IP "\fB20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate\fR" 4
397.IX Item "20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate"
01185282
PA
398the issuer certificate could not be found: this occurs if the issuer
399certificate of an untrusted certificate cannot be found.
8b0cefbb
JR
400.IP "\fB21 X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first certificate\fR" 4
401.IX Item "21 X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first certificate"
984263bc
MD
402no signatures could be verified because the chain contains only one certificate and it is not
403self signed.
8b0cefbb
JR
404.IP "\fB22 X509_V_ERR_CERT_CHAIN_TOO_LONG: certificate chain too long\fR" 4
405.IX Item "22 X509_V_ERR_CERT_CHAIN_TOO_LONG: certificate chain too long"
984263bc 406the certificate chain length is greater than the supplied maximum depth. Unused.
8b0cefbb
JR
407.IP "\fB23 X509_V_ERR_CERT_REVOKED: certificate revoked\fR" 4
408.IX Item "23 X509_V_ERR_CERT_REVOKED: certificate revoked"
01185282 409the certificate has been revoked.
8b0cefbb
JR
410.IP "\fB24 X509_V_ERR_INVALID_CA: invalid \s-1CA\s0 certificate\fR" 4
411.IX Item "24 X509_V_ERR_INVALID_CA: invalid CA certificate"
984263bc
MD
412a \s-1CA\s0 certificate is invalid. Either it is not a \s-1CA\s0 or its extensions are not consistent
413with the supplied purpose.
8b0cefbb
JR
414.IP "\fB25 X509_V_ERR_PATH_LENGTH_EXCEEDED: path length constraint exceeded\fR" 4
415.IX Item "25 X509_V_ERR_PATH_LENGTH_EXCEEDED: path length constraint exceeded"
984263bc 416the basicConstraints pathlength parameter has been exceeded.
8b0cefbb
JR
417.IP "\fB26 X509_V_ERR_INVALID_PURPOSE: unsupported certificate purpose\fR" 4
418.IX Item "26 X509_V_ERR_INVALID_PURPOSE: unsupported certificate purpose"
984263bc 419the supplied certificate cannot be used for the specified purpose.
8b0cefbb
JR
420.IP "\fB27 X509_V_ERR_CERT_UNTRUSTED: certificate not trusted\fR" 4
421.IX Item "27 X509_V_ERR_CERT_UNTRUSTED: certificate not trusted"
984263bc 422the root \s-1CA\s0 is not marked as trusted for the specified purpose.
8b0cefbb
JR
423.IP "\fB28 X509_V_ERR_CERT_REJECTED: certificate rejected\fR" 4
424.IX Item "28 X509_V_ERR_CERT_REJECTED: certificate rejected"
984263bc 425the root \s-1CA\s0 is marked to reject the specified purpose.
8b0cefbb
JR
426.IP "\fB29 X509_V_ERR_SUBJECT_ISSUER_MISMATCH: subject issuer mismatch\fR" 4
427.IX Item "29 X509_V_ERR_SUBJECT_ISSUER_MISMATCH: subject issuer mismatch"
984263bc
MD
428the current candidate issuer certificate was rejected because its subject name
429did not match the issuer name of the current certificate. Only displayed when
430the \fB\-issuer_checks\fR option is set.
8b0cefbb
JR
431.IP "\fB30 X509_V_ERR_AKID_SKID_MISMATCH: authority and subject key identifier mismatch\fR" 4
432.IX Item "30 X509_V_ERR_AKID_SKID_MISMATCH: authority and subject key identifier mismatch"
984263bc
MD
433the current candidate issuer certificate was rejected because its subject key
434identifier was present and did not match the authority key identifier current
435certificate. Only displayed when the \fB\-issuer_checks\fR option is set.
8b0cefbb
JR
436.IP "\fB31 X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: authority and issuer serial number mismatch\fR" 4
437.IX Item "31 X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: authority and issuer serial number mismatch"
984263bc
MD
438the current candidate issuer certificate was rejected because its issuer name
439and serial number was present and did not match the authority key identifier
440of the current certificate. Only displayed when the \fB\-issuer_checks\fR option is set.
8b0cefbb
JR
441.IP "\fB32 X509_V_ERR_KEYUSAGE_NO_CERTSIGN:key usage does not include certificate signing\fR" 4
442.IX Item "32 X509_V_ERR_KEYUSAGE_NO_CERTSIGN:key usage does not include certificate signing"
984263bc
MD
443the current candidate issuer certificate was rejected because its keyUsage extension
444does not permit certificate signing.
8b0cefbb
JR
445.IP "\fB50 X509_V_ERR_APPLICATION_VERIFICATION: application verification failure\fR" 4
446.IX Item "50 X509_V_ERR_APPLICATION_VERIFICATION: application verification failure"
984263bc
MD
447an application specific error. Unused.
448.SH "BUGS"
8b0cefbb 449.IX Header "BUGS"
984263bc 450Although the issuer checks are a considerably improvement over the old technique they still
8b0cefbb 451suffer from limitations in the underlying X509_LOOKUP \s-1API\s0. One consequence of this is that
984263bc 452trusted certificates with matching subject name must either appear in a file (as specified by the
8b0cefbb 453\&\fB\-CAfile\fR option) or a directory (as specified by \fB\-CApath\fR. If they occur in both then only
984263bc
MD
454the certificates in the file will be recognised.
455.PP
456Previous versions of OpenSSL assume certificates with matching subject name are identical and
457mishandled them.
01185282
PA
458.PP
459Previous versions of this documentation swapped the meaning of the
460\&\fBX509_V_ERR_UNABLE_TO_GET_ISSUER_CERT\fR and
461\&\fB20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY\fR error codes.
984263bc 462.SH "SEE ALSO"
e3cdf75b 463.IX Header "SEE ALSO"
8b0cefbb 464\&\fIx509\fR\|(1)