From: Marcel Merkle Date: Mon, 9 Mar 2026 09:01:28 +0000 (+0100) Subject: Add more details to the certification path building documentation X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6a5fea7ec5df1c8cc4bb5006013301b41d0accd4;p=thirdparty%2Fopenssl.git Add more details to the certification path building documentation Added more details about the certification path building algorithm, especially about the behavior in case of incomplete chains in the trust store. Fixes #29681 Reviewed-by: Eugene Syromiatnikov Reviewed-by: Nikola Pajkovsky Reviewed-by: Tomas Mraz MergeDate: Tue Mar 24 17:24:15 2026 (Merged from https://github.com/openssl/openssl/pull/30317) --- diff --git a/doc/man1/openssl-verification-options.pod b/doc/man1/openssl-verification-options.pod index 2fd0881fa23..8e4edf0af12 100644 --- a/doc/man1/openssl-verification-options.pod +++ b/doc/man1/openssl-verification-options.pod @@ -212,6 +212,12 @@ it must allow for certificate signing (keyCertSign). The lookup first searches for issuer certificates in the trust store. If it does not find a match there it consults the list of untrusted ("intermediate" CA) certificates, if provided. +If one issuer certificate was found in the trust store, the list of +untrusted certificates will not be consulted anymore to find further +issuer certificates. Therefore, either only the root certificate or an +uninterrupted chain to the root certificate must be provided in the trust +store for a successful verification, if B +is not enabled. =head2 Certification Path Validation