[B<-popo> I<number>]
[B<-csr> I<filename>]
[B<-out_trusted> I<filenames>]
-[B<-verify_hostname> I<cn>]
-[B<-verify_ip> I<ip>]
-[B<-verify_email> I<email>]
[B<-implicit_confirm>]
[B<-disable_confirm>]
[B<-certout> I<filename>]
Certificate verification options, for both CMP and TLS:
-[B<-policy> I<arg>]
-[B<-purpose> I<purpose>]
-[B<-verify_name> I<name>]
-[B<-verify_depth> I<num>]
-[B<-auth_level> I<level>]
-[B<-attime> I<timestamp>]
-[B<-ignore_critical>]
-[B<-issuer_checks>]
-[B<-policy_check>]
-[B<-explicit_policy>]
-[B<-inhibit_any>]
-[B<-inhibit_map>]
-[B<-x509_strict>]
-[B<-extended_crl>]
-[B<-use_deltas>]
-[B<-policy_print>]
-[B<-check_ss_sig>]
-[B<-crl_check>]
-[B<-crl_check_all>]
-[B<-trusted_first>]
-[B<-suiteB_128_only>]
-[B<-suiteB_128>]
-[B<-suiteB_192>]
-[B<-partial_chain>]
-[B<-no_alt_chains>]
-[B<-no_check_time>]
-[B<-allow_proxy_certs>]
+{- $OpenSSL::safe::opt_v_synopsis -}
=head1 DESCRIPTION
(where in the latter case the whole argument must be enclosed in "...").
Each source may contain multiple certificates.
-=item B<-verify_hostname> I<name>
-
-When verification of the newly enrolled certificate is enabled (with the
-B<-out_trusted> option), check if any DNS Subject Alternative Name (or if no
-DNS SAN is included, the Common Name in the subject) equals the given B<name>.
-
-=item B<-verify_ip> I<ip>
-
-When verification of the newly enrolled certificate is enabled (with the
-B<-out_trusted> option), check if there is
-an IP address Subject Alternative Name matching the given IP address.
-
-=item B<-verify_email> I<email>
-
-When verification of the newly enrolled certificate is enabled (with the
-B<-out_trusted> option), check if there is
-an email address Subject Alternative Name matching the given email address.
+The certificate verification options
+B<-verify_hostname>, B<-verify_ip>, and B<-verify_email>
+only affect the certificate verification enabled via this option.
=item B<-implicit_confirm>
these are the CA certificate(s) to trust while checking certificate chains
during CMP server authentication.
This option gives more flexibility than the B<-srvcert> option because the
-protection certificate is not pinned but may be any certificate
+server-side CMP signer certificate is not pinned but may be any certificate
for which a chain to one of the given trusted certificates can be constructed.
If no B<-trusted>, B<-srvcert>, and B<-secret> option is given
(where in the latter case the whole argument must be enclosed in "...").
Each source may contain multiple certificates.
+The certificate verification options
+B<-verify_hostname>, B<-verify_ip>, and B<-verify_email>
+have no effect on the certificate verification enabled via this option.
+
=item B<-untrusted> I<sources>
Non-trusted intermediate CA certificate(s).
=item B<-own_trusted> I<filenames>
If this list of certificates is provided then the chain built for
-the CMP signer certificate given with the B<-cert> option is verified
-using the given certificates as trust anchors.
+the client-side CMP signer certificate given with the B<-cert> option
+is verified using the given certificates as trust anchors.
Multiple filenames may be given, separated by commas and/or whitespace
(where in the latter case the whole argument must be enclosed in "...").
Each source may contain multiple certificates.
+The certificate verification options
+B<-verify_hostname>, B<-verify_ip>, and B<-verify_email>
+have no effect on the certificate verification enabled via this option.
+
=item B<-key> I<filename>
The corresponding private key file for the client's current certificate given in
(where in the latter case the whole argument must be enclosed in "...").
Each source may contain multiple certificates.
+The certificate verification options
+B<-verify_hostname>, B<-verify_ip>, and B<-verify_email>
+have no effect on the certificate verification enabled via this option.
+
=item B<-tls_host> I<name>
Address to be checked during hostname validation.
Trusted certificates for client authentication.
+The certificate verification options
+B<-verify_hostname>, B<-verify_ip>, and B<-verify_email>
+have no effect on the certificate verification enabled via this option.
+
=item B<-srv_untrusted> I<filenames>
Intermediate CA certs that may be useful when verifying client certificates.
=over 4
-=item B<-policy>, B<-purpose>, B<-verify_name>, B<-verify_depth>,
-B<-attime>,
-B<-ignore_critical>, B<-issuer_checks>,
-B<-policy_check>,
-B<-explicit_policy>, B<-inhibit_any>, B<-inhibit_map>,
-B<-x509_strict>, B<-extended_crl>, B<-use_deltas>,
-B<-policy_print>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>,
-B<-trusted_first>,
-B<-suiteB_128_only>, B<-suiteB_128>, B<-suiteB_192>,
-B<-partial_chain>, B<-no_alt_chains>, B<-no_check_time>,
-B<-auth_level>,
-B<-allow_proxy_certs>
-
-Set various options of certificate chain verification.
-See L<openssl(1)/Verification Options> for details.
+{- $OpenSSL::safe::opt_v_item -}
+
+The certificate verification options
+B<-verify_hostname>, B<-verify_ip>, and B<-verify_email>
+only affect the certificate verification enabled via the B<-out_trusted> option.
=back
projects / thirdparty / openssl.git / commitdiff
