Add more details to the certification path building documentation

Added more details about the certification path building algorithm,
especially about the behavior in case of incomplete chains in the trust
store.

Fixes #29681

Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Tue Mar 24 17:24:15 2026
(Merged from https://github.com/openssl/openssl/pull/30317)

diff --git a/doc/man1/openssl-verification-options.pod b/doc/man1/openssl-verification-options.pod
index 2fd0881fa23dd67614eaed66c9108ea198b7e7a8..8e4edf0af12bb6461d8793b99c3af63d682f2c7f 100644 (file)
--- a/doc/man1/openssl-verification-options.pod
+++ b/doc/man1/openssl-verification-options.pod
@@ -212,6 +212,12 @@ it must allow for certificate signing (keyCertSign).
 The lookup first searches for issuer certificates in the trust store.
 If it does not find a match there it consults
 the list of untrusted ("intermediate" CA) certificates, if provided.
+If one issuer certificate was found in the trust store, the list of
+untrusted certificates will not be consulted anymore to find further
+issuer certificates. Therefore, either only the root certificate or an
+uninterrupted chain to the root certificate must be provided in the trust
+store for a successful verification, if B<X509_V_FLAG_PARTIAL_CHAIN>
+is not enabled.
 
 =head2 Certification Path Validation