Add more details to the certification path building documentation

Added more details about the certification path building algorithm,
especially about the behavior in case of incomplete chains in the trust
store.

Fixes #29681

Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Tue Mar 24 17:24:15 2026
(Merged from https://github.com/openssl/openssl/pull/30317)

(cherry picked from commit 6a5fea7ec5df1c8cc4bb5006013301b41d0accd4)

diff --git a/doc/man1/openssl-verification-options.pod b/doc/man1/openssl-verification-options.pod
index 81a11c37f4c49d8bc66905508b4319d94bf2c978..22d32f0d5567224aaa902b561d44959209e79c27 100644 (file)
--- a/doc/man1/openssl-verification-options.pod
+++ b/doc/man1/openssl-verification-options.pod
@@ -142,6 +142,12 @@ equals the public key algorithm of the candidate issuer certificate.
 The lookup first searches for issuer certificates in the trust store.
 If it does not find a match there it consults
 the list of untrusted ("intermediate" CA) certificates, if provided.
+If one issuer certificate was found in the trust store, the list of
+untrusted certificates will not be consulted anymore to find further
+issuer certificates. Therefore, either only the root certificate or an
+uninterrupted chain to the root certificate must be provided in the trust
+store for a successful verification, if B<X509_V_FLAG_PARTIAL_CHAIN>
+is not enabled.
 
 =head2 Certification Path Validation