{ "cades", OPT_DUP, '-', "Check signingCertificate (CAdES-BES)" },
{ "verify_retcode", OPT_VERIFY_RETCODE, '-',
"Exit non-zero on verification failure" },
- { "CAfile", OPT_CAFILE, '<', "Trusted certificates file" },
- { "CApath", OPT_CAPATH, '/', "Trusted certificates directory" },
- { "CAstore", OPT_CASTORE, ':', "Trusted certificates store URI" },
+ { "CAfile", OPT_CAFILE, '<', "File in PEM format with trusted CA certs" },
+ { "CApath", OPT_CAPATH, '/', "Dir with trusted CA cert files in PEM format" },
+ { "CAstore", OPT_CASTORE, ':', "URI of store with trusted CA certs" },
{ "no-CAfile", OPT_NOCAFILE, '-',
"Do not load the default certificates file" },
{ "no-CApath", OPT_NOCAPATH, '-',
{ "gendelta", OPT_GENDELTA, '<', "Other CRL to compare/diff to the Input one" },
OPT_SECTION("Certificate"),
- { "CApath", OPT_CAPATH, '/', "Verify CRL using certificates in dir" },
- { "CAfile", OPT_CAFILE, '<', "Verify CRL using certificates in file name" },
- { "CAstore", OPT_CASTORE, ':', "Verify CRL using certificates in store URI" },
+ { "CAfile", OPT_CAFILE, '<', "File in PEM format with trusted CA certs" },
+ { "CApath", OPT_CAPATH, '/', "Dir with trusted CA cert files in PEM format" },
+ { "CAstore", OPT_CASTORE, ':', "URI of store with trusted CA certs" },
{ "no-CAfile", OPT_NOCAFILE, '-',
"Do not load the default certificates file" },
{ "no-CApath", OPT_NOCAPATH, '-',
vfy = X509_STORE_new();
if (vfy == NULL)
goto err;
- if (vfyCAfile != NULL && !X509_STORE_load_file(vfy, vfyCAfile))
+ if (vfyCAfile != NULL && !X509_STORE_load_file(vfy, vfyCAfile)) {
+ BIO_printf(bio_err, "Error loading trusted peer verification cert file %s\n", vfyCAfile);
goto err;
- if (vfyCApath != NULL && !X509_STORE_load_path(vfy, vfyCApath))
+ }
+ if (vfyCApath != NULL && !X509_STORE_load_path(vfy, vfyCApath)) {
+ BIO_printf(bio_err, "Error adding trusted peer verification certs directory %s\n", vfyCApath);
goto err;
- if (vfyCAstore != NULL && !X509_STORE_load_store(vfy, vfyCAstore))
+ }
+ if (vfyCAstore != NULL && !X509_STORE_load_store(vfy, vfyCAstore)) {
+ BIO_printf(bio_err, "Error adding trusted peer verification cert store file %s\n", vfyCAstore);
goto err;
+ }
add_crls_store(vfy, crls);
if (SSL_CTX_set1_verify_cert_store(ctx, vfy) == 0)
goto err;
ch = X509_STORE_new();
if (ch == NULL)
goto err;
- if (chCAfile != NULL && !X509_STORE_load_file(ch, chCAfile))
+ if (chCAfile != NULL && !X509_STORE_load_file(ch, chCAfile)) {
+ BIO_printf(bio_err, "Error loading trusted chain building cert file %s\n", chCAfile);
goto err;
- if (chCApath != NULL && !X509_STORE_load_path(ch, chCApath))
+ }
+ if (chCApath != NULL && !X509_STORE_load_path(ch, chCApath)) {
+ BIO_printf(bio_err, "Error adddng trusted chain building cert directory %s\n", chCApath);
goto err;
- if (chCAstore != NULL && !X509_STORE_load_store(ch, chCAstore))
+ }
+ if (chCAstore != NULL && !X509_STORE_load_store(ch, chCAstore)) {
+ BIO_printf(bio_err, "Error adddng trusted chain building cert store file %s\n", chCAstore);
goto err;
+ }
if (SSL_CTX_set1_chain_cert_store(ctx, ch) == 0)
goto err;
}
{ "help", OPT_HELP, '-', "Display this summary" },
{ "ignore_err", OPT_IGNORE_ERR, '-',
"Ignore error on OCSP request or response and continue running" },
- { "CAfile", OPT_CAFILE, '<', "Trusted certificates file" },
- { "CApath", OPT_CAPATH, '<', "Trusted certificates directory" },
- { "CAstore", OPT_CASTORE, ':', "Trusted certificates store URI" },
+ { "CAfile", OPT_CAFILE, '<', "File in PEM format with trusted CA certs" },
+ { "CApath", OPT_CAPATH, '/', "Dir with trusted CA cert files in PEM format" },
+ { "CAstore", OPT_CASTORE, ':', "URI of store with trusted CA certs" },
{ "no-CAfile", OPT_NOCAFILE, '-',
"Do not load the default certificates file" },
{ "no-CApath", OPT_NOCAPATH, '-',
{ OPT_MORE_STR, 0, 0,
"which is the 1st cert from -in matching the private key (if given)" },
{ "untrusted", OPT_UNTRUSTED, '<', "Untrusted certificates for chain building" },
- { "CAfile", OPT_CAFILE, '<', "PEM-format file of CA's" },
- { "CApath", OPT_CAPATH, '/', "PEM-format directory of CA's" },
- { "CAstore", OPT_CASTORE, ':', "URI to store of CA's" },
+ { "CAfile", OPT_CAFILE, '<', "File in PEM format with trusted CA certs" },
+ { "CApath", OPT_CAPATH, '/', "Dir with trusted CA cert files in PEM format" },
+ { "CAstore", OPT_CASTORE, ':', "URI of store with trusted CA certs" },
{ "no-CAfile", OPT_NOCAFILE, '-',
"Do not load the default certificates file" },
{ "no-CApath", OPT_NOCAPATH, '-',
{ "pass", OPT_PASS, 's', "Private key and cert file pass phrase source" },
{ "verify", OPT_VERIFY, 'p', "Turn on peer certificate verification, set depth" },
{ "nameopt", OPT_NAMEOPT, 's', "Certificate subject/issuer name printing options" },
- { "CApath", OPT_CAPATH, '/', "PEM format directory of CA's" },
- { "CAfile", OPT_CAFILE, '<', "PEM format file of CA's" },
- { "CAstore", OPT_CASTORE, ':', "URI to store of CA's" },
+ { "CAfile", OPT_CAFILE, '<', "File in PEM format with trusted CA certs" },
+ { "CApath", OPT_CAPATH, '/', "Dir with trusted CA cert files in PEM format" },
+ { "CAstore", OPT_CASTORE, ':', "URI of store with trusted CA certs" },
{ "no-CAfile", OPT_NOCAFILE, '-',
"Do not load the default certificates file" },
{ "no-CApath", OPT_NOCAPATH, '-',
"Close connection on verification error" },
{ "verify_quiet", OPT_VERIFY_QUIET, '-', "Restrict verify output to errors" },
{ "chainCAfile", OPT_CHAINCAFILE, '<',
- "CA file for certificate chain (PEM format)" },
+ "File in PEM format with trusted CA certs to build own cert chain" },
{ "chainCApath", OPT_CHAINCAPATH, '/',
- "Use dir as certificate store path to build CA certificate chain" },
+ "Dir with trusted CA cert files in PEM format to build own cert chain" },
{ "chainCAstore", OPT_CHAINCASTORE, ':',
- "CA store URI for certificate chain" },
+ "URI of trusted CA cert store to build own cert chain" },
+ { OPT_MORE_STR, 0, 0,
+ "NOTE: these override -CApath, -CAfile, and -CAstore for client chain building" },
{ "verifyCAfile", OPT_VERIFYCAFILE, '<',
- "CA file for certificate verification (PEM format)" },
+ "File in PEM format with trusted CA certs for server cert verification" },
{ "verifyCApath", OPT_VERIFYCAPATH, '/',
- "Use dir as certificate store path to verify CA certificate" },
+ "Dir with trusted CA cert files in PEM format for server cert verification" },
{ "verifyCAstore", OPT_VERIFYCASTORE, ':',
- "CA store URI for certificate verification" },
+ "URI of trusted CA cert store for server cert verification" },
+ { OPT_MORE_STR, 0, 0,
+ "NOTE: these override -CApath, -CAfile, and -CAstore for server cert verification" },
OPT_X_OPTIONS,
OPT_PROV_OPTIONS,
vfyCApath, vfyCAfile, vfyCAstore,
chCApath, chCAfile, chCAstore,
crls, crl_download)) {
- BIO_puts(bio_err, "Error loading store locations\n");
+ BIO_puts(bio_err, "Error loading store locations for server cert verification and client cert chain building\n");
goto end;
}
if (ReqCAfile != NULL) {
SSL_CTX_set_verify(ctx, verify, verify_callback);
if (!ctx_set_verify_locations(ctx, CAfile, noCAfile, CApath, noCApath,
- CAstore, noCAstore))
+ CAstore, noCAstore)) {
+ BIO_puts(bio_err, "Error setting default locations for trusted certificates\n");
goto end;
+ }
ssl_ctx_add_crls(ctx, crls, crl_download);
OPT_SECTION("Identity"),
{ "context", OPT_CONTEXT, 's', "Set session ID context" },
- { "CAfile", OPT_CAFILE, '<', "PEM format file of CA's" },
- { "CApath", OPT_CAPATH, '/', "PEM format directory of CA's" },
- { "CAstore", OPT_CASTORE, ':', "URI to store of CA's" },
+ { "CAfile", OPT_CAFILE, '<', "File in PEM format with trusted CA certs" },
+ { "CApath", OPT_CAPATH, '/', "Dir with trusted CA cert files in PEM format" },
+ { "CAstore", OPT_CASTORE, ':', "URI of store with trusted CA certs" },
{ "no-CAfile", OPT_NOCAFILE, '-',
"Do not load the default certificates file" },
{ "no-CApath", OPT_NOCAPATH, '-',
{ "crl_download", OPT_CRL_DOWNLOAD, '-',
"Download CRLs from distribution points in certificate CDP entries" },
{ "chainCAfile", OPT_CHAINCAFILE, '<',
- "CA file for certificate chain (PEM format)" },
+ "File in PEM format with trusted CA certs to build own cert chain" },
{ "chainCApath", OPT_CHAINCAPATH, '/',
- "use dir as certificate store path to build CA certificate chain" },
+ "Dir with trusted CA cert files in PEM format to build own cert chain" },
{ "chainCAstore", OPT_CHAINCASTORE, ':',
- "use URI as certificate store to build CA certificate chain" },
+ "URI of trusted CA cert store to build own cert chain" },
+ { OPT_MORE_STR, 0, 0,
+ "NOTE: these override -CApath, -CAfile, and -CAstore for server chain building" },
{ "verifyCAfile", OPT_VERIFYCAFILE, '<',
- "CA file for certificate verification (PEM format)" },
+ "File in PEM format with trusted CA certs for client cert verification" },
{ "verifyCApath", OPT_VERIFYCAPATH, '/',
- "use dir as certificate store path to verify CA certificate" },
+ "Dir with trusted CA cert files in PEM format for client cert verification" },
{ "verifyCAstore", OPT_VERIFYCASTORE, ':',
- "use URI as certificate store to verify CA certificate" },
+ "URI of trusted CA cert store for client cert verification" },
+ { OPT_MORE_STR, 0, 0,
+ "NOTE: these override -CApath, -CAfile, and -CAstore for client cert verification" },
{ "expected-rpks", OPT_EXPECTED_RPK, '<',
"PEM file with expected client public key(s)" },
{ "no_cache", OPT_NO_CACHE, '-', "Disable session cache" },
{ "nameopt", OPT_NAMEOPT, 's', "Certificate subject/issuer name printing options" },
{ "cert", OPT_CERT, '<', "Cert file to use, PEM format assumed" },
{ "key", OPT_KEY, '<', "File with key, PEM; default is -cert file" },
- { "cafile", OPT_CAFILE, '<', "PEM format file of CA's" },
- { "CAfile", OPT_CAFILE, '<', "PEM format file of CA's" },
- { "CApath", OPT_CAPATH, '/', "PEM format directory of CA's" },
+ { "cafile", OPT_CAFILE, '<', "Deprecated alias of -CAfile" },
+ { "CAfile", OPT_CAFILE, '<', "File in PEM format with trusted CA certs" },
+ { "CApath", OPT_CAPATH, '/', "Dir with trusted CA cert files in PEM format" },
+ { "CAstore", OPT_CASTORE, ':', "URI of store with trusted CA certs" },
{ "CAstore", OPT_CASTORE, ':', "URI to store of CA's" },
{ "no-CAfile", OPT_NOCAFILE, '-',
"Do not load the default certificates file" },
{ "nosmimecap", OPT_NOSMIMECAP, '-', "Omit the SMIMECapabilities attribute" },
OPT_SECTION("Certificate chain"),
- { "CApath", OPT_CAPATH, '/', "Trusted certificates directory" },
- { "CAfile", OPT_CAFILE, '<', "Trusted certificates file" },
- { "CAstore", OPT_CASTORE, ':', "Trusted certificates store URI" },
+ { "CAfile", OPT_CAFILE, '<', "File in PEM format with trusted CA certs" },
+ { "CApath", OPT_CAPATH, '/', "Dir with trusted CA cert files in PEM format" },
+ { "CAstore", OPT_CASTORE, ':', "URI of store with trusted CA certs" },
{ "no-CAfile", OPT_NOCAFILE, '-',
"Do not load the default certificates file" },
{ "no-CApath", OPT_NOCAPATH, '-',
{ "inkey", OPT_INKEY, 's', "File with private key for reply" },
{ "signer", OPT_SIGNER, 's', "Signer certificate file" },
{ "chain", OPT_CHAIN, '<', "File with signer CA chain" },
- { "CAfile", OPT_CAFILE, '<', "File with trusted CA certs" },
- { "CApath", OPT_CAPATH, '/', "Path to trusted CA files" },
- { "CAstore", OPT_CASTORE, ':', "URI to trusted CA store" },
+ { "CAfile", OPT_CAFILE, '<', "File in PEM format with trusted CA certs" },
+ { "CApath", OPT_CAPATH, '/', "Dir with trusted CA cert files in PEM format" },
+ { "CAstore", OPT_CASTORE, ':', "URI of store with trusted CA certs" },
{ "untrusted", OPT_UNTRUSTED, '<', "Extra untrusted certs" },
{ "token_in", OPT_TOKEN_IN, '-', "Input is a PKCS#7 file" },
{ "token_out", OPT_TOKEN_OUT, '-', "Output is a PKCS#7 file" },
OPT_SECTION("Certificate chain"),
{ "trusted", OPT_TRUSTED, '<', "A file of trusted certificates" },
- { "CAfile", OPT_CAFILE, '<', "A file of trusted certificates" },
- { "CApath", OPT_CAPATH, '/', "A directory of files with trusted certificates" },
- { "CAstore", OPT_CASTORE, ':', "URI to a store of trusted certificates" },
+ { "CAfile", OPT_CAFILE, '<', "File in PEM format with trusted CA certs" },
+ { "CApath", OPT_CAPATH, '/', "Dir with trusted CA cert files in PEM format" },
+ { "CAstore", OPT_CASTORE, ':', "URI of store with trusted CA certs" },
{ "no-CAfile", OPT_NOCAFILE, '-',
"Do not load the default trusted certificates file" },
{ "no-CApath", OPT_NOCAPATH, '-',
[B<-verify> I<depth>]
[B<-verify_return_error>]
[B<-verify_quiet>]
+{- $OpenSSL::safe::opt_trust_synopsis -}
[B<-verifyCAfile> I<filename>]
[B<-verifyCApath> I<dir>]
[B<-verifyCAstore> I<uri>]
+[B<-chainCAfile> I<filename>]
+[B<-chainCApath> I<directory>]
+[B<-chainCAstore> I<uri>]
[B<-cert> I<filename>]
[B<-certform> B<DER>|B<PEM>|B<P12>]
[B<-cert_chain> I<filename>]
[B<-key> I<filename>|I<uri>]
[B<-keyform> B<DER>|B<PEM>|B<P12>]
[B<-pass> I<arg>]
-[B<-chainCAfile> I<filename>]
-[B<-chainCApath> I<directory>]
-[B<-chainCAstore> I<uri>]
[B<-requestCAfile> I<filename>]
[B<-dane_tlsa_domain> I<domain>]
[B<-dane_tlsa_rrdata> I<rrdata>]
{- $OpenSSL::safe::opt_name_synopsis -}
{- $OpenSSL::safe::opt_version_synopsis -}
{- $OpenSSL::safe::opt_x_synopsis -}
-{- $OpenSSL::safe::opt_trust_synopsis -}
{- $OpenSSL::safe::opt_s_synopsis -}
{- $OpenSSL::safe::opt_r_synopsis -}
{- $OpenSSL::safe::opt_provider_synopsis -}
Limit verify output to only errors.
+{- $OpenSSL::safe::opt_trust_item -}
+
+The certificates loaded via the B<-CAfile>, B<-CApath>, and B<-CAstore> options
+are used as trust anchors when verifying the server's certificate unless
+overridden by B<-verifyCAfile>, B<-verifyCApath>, or B<-verifyCAstore> options.
+They are also used as trust anchors when attempting
+to build the client certificate chain provided to the server unless
+overridden by B<-chainCAfile>, B<-chainCApath>, or B<-chainCAstore> options.
+
=item B<-verifyCAfile> I<filename>
-A file in PEM format containing trusted certificates to use
-for verifying the server's certificate.
+A file in PEM format containing one or more CA certificates
+to trust for verifying the server's certificate.
+
+This and the following two options, B<-verifyCApath> and B<-verifyCAstore>,
+take precedence over the B<-CAfile>, B<-CApath>, and B<-CAstore> options.
=item B<-verifyCApath> I<dir>
-A directory containing trusted certificates to use
-for verifying the server's certificate.
+A directory with files in PEM format containing CA certificates
+to trust for verifying the server's certificate.
This directory must be in "hash format",
see L<openssl-verify(1)> for more information.
=item B<-verifyCAstore> I<uri>
-The URI of a store containing trusted certificates to use
-for verifying the server's certificate.
+URI of a store containing CA certificates
+to trust for verifying the server's certificate.
+The URI may indicate a single certificate, as well as a collection of them.
+With URIs in the C<file:> scheme, this is generally treated like B<-verifyCApath> or
+B<-verifyCAfile>, depending on if the URI indicates a directory or a single file.
+See L<ossl_store(7)> for more information on stores and supported schemes.
When any of B<-verifyCAfile>, B<-verifyCApath>, or B<-verifyCAstore> is
specified, they are loaded into a separate verification store (via
=item B<-chainCAfile> I<file>
-A file in PEM format containing trusted certificates to use
-when attempting to build the client certificate chain.
+A file in PEM format containing one or more trusted CA certificates to use
+when attempting to build the client certificate chain provided to the server.
+
+This and the following two options, B<-chainCApath> and B<-chainCAstore>,
+take precedence over the B<-CAfile>, B<-CApath>, and B<-CAstore> options.
=item B<-chainCApath> I<directory>
-A directory containing trusted certificates to use
-for building the client certificate chain provided to the server.
+A directory with files in PEM format containing trusted CA certificates to use
+when attempting to build the client certificate chain provided to the server.
This directory must be in "hash format",
see L<openssl-verify(1)> for more information.
=item B<-chainCAstore> I<uri>
The URI of a store containing trusted certificates to use
-when attempting to build the client certificate chain.
+when attempting to build the client certificate chain provided to the server.
The URI may indicate a single certificate, as well as a collection of them.
-With URIs in the C<file:> scheme, this acts as B<-chainCAfile> or
-B<-chainCApath>, depending on if the URI indicates a directory or a
-single file.
-See L<ossl_store-file(7)> for more information on the C<file:> scheme.
+With URIs in the C<file:> scheme, this is generally treated like B<-chainCApath> or
+B<-chainCAfile>, depending on whether the URI points to a directory or a single file.
+See L<ossl_store(7)> for more information on stores and supported schemes.
=item B<-requestCAfile> I<file>
{- $OpenSSL::safe::opt_x_item -}
-{- $OpenSSL::safe::opt_trust_item -}
-
{- $OpenSSL::safe::opt_s_item -}
{- $OpenSSL::safe::opt_r_item -}
L<SSL_CTX_set_max_send_fragment(3)>,
L<SSL_CTX_set_split_send_fragment(3)>,
L<SSL_CTX_set_max_pipelines(3)>,
-L<ossl_store-file(7)>
+L<ossl_store(7)>
=head1 HISTORY
A file in PEM format containing trusted CA certificates (root and/or
intermediate) used to verify the client certificate chain.
+This and the following two options, B<-verifyCApath> and B<-verifyCAstore>,
+take precedence over the B<-CAfile>, B<-CApath>, and B<-CAstore> options.
+
=item B<-verifyCApath> I<dir>
A directory containing trusted certificates to use
=item B<-verifyCAstore> I<uri>
-The URI of a store containing trusted certificates to use
+URI of a store containing trusted certificates to use
for verifying client certificates.
+The URI may indicate a single certificate, as well as a collection of them.
+With URIs in the C<file:> scheme, this is generally treated like B<-verifyCApath> or
+B<-verifyCAfile>, depending on whether the URI points to a directory or a single file.
+See L<ossl_store(7)> for more information on stores and supported schemes.
-When any of B<-verifyCAfile>, B<-verifyCApath>, or B<-verifyCAstore> is
-specified, they are loaded into a separate verification store (via
-L<SSL_CTX_set1_verify_cert_store(3)>) and used for client certificate
-verification instead of the store built from B<-CAfile>, B<-CApath>, and
-B<-CAstore>. Note that B<-CAfile> is the sole source of acceptable issuing
+Note that B<-CAfile> is the sole source of acceptable issuing
CA names sent to the client in the Certificate Request message during the
handshake; B<-CApath>, B<-CAstore>, and the B<-verifyCA*> options do not
contribute to this list.
A file in PEM format containing trusted certificates to use
when attempting to build the server certificate chain.
+This and the following two options, B<-chainCApath> and B<-chainCAstore>,
+take precedence over the B<-CAfile>, B<-CApath>, and B<-CAstore> options.
+
=item B<-chainCApath> I<dir>
A directory containing trusted certificates to use
The URI of a store containing trusted certificates to use
for building the server certificate chain provided to the client.
The URI may indicate a single certificate, as well as a collection of them.
-With URIs in the C<file:> scheme, this acts as B<-chainCAfile> or
-B<-chainCApath>, depending on if the URI indicates a directory or a
-single file.
-See L<ossl_store-file(7)> for more information on the C<file:> scheme.
+With URIs in the C<file:> scheme, this is generally treated like B<-chainCApath> or
+B<-chainCAfile>, depending on whether the URI points to a directory or a single file.
+See L<ossl_store(7)> for more information on stores and supported schemes.
=item B<-nocert>
{- $OpenSSL::safe::opt_trust_item -}
+The certificates loaded via the B<-CAfile>, B<-CApath>, and B<-CAstore> options
+are used as trust anchors when verifying client certificates unless
+overridden by B<-verifyCAfile>, B<-verifyCApath>, or B<-verifyCAstore> options.
+They are also used as trust anchors when attempting
+to build the server certificate chain provided to clients unless
+overridden by B<-chainCAfile>, B<-chainCApath>, or B<-chainCAstore> options.
+
+B<-CAfile> also determines the list of acceptable issuing CA names
+sent to the client in the Certificate Request message during the handshake;
+B<-CApath>, B<-CAstore>, and the B<-verifyCA*> options do not contribute here.
+
{- $OpenSSL::safe::opt_r_item -}
{- $OpenSSL::safe::opt_provider_item -}
L<SSL_CTX_set_max_send_fragment(3)>,
L<SSL_CTX_set_split_send_fragment(3)>,
L<SSL_CTX_set_max_pipelines(3)>,
-L<ossl_store-file(7)>
+L<ossl_store(7)>
=head1 HISTORY
Use the specified directory as a collection of trusted certificates,
i.e., a trust store.
-Files should be named with the hash value of the X.509 SubjectName of each
+Each file should contain exactly one certificate in PEM format.
+It should be named with the hash value of the X.509 SubjectName of the
certificate. This is so that the library can extract the IssuerName,
hash it, and directly lookup the file to get the issuer certificate.
See L<openssl-rehash(1)> for information on creating this type of directory.
=item B<-CAstore> I<uri>
-Use I<uri> as a store of CA certificates.
-The URI may indicate a single certificate, as well as a collection of them.
-With URIs in the C<file:> scheme, this acts as B<-CAfile> or
-B<-CApath>, depending on if the URI indicates a single file or
-directory.
-See L<ossl_store-file(7)> for more information on the C<file:> scheme.
+Use I<uri> as a store of trusted certificates.
+The URI may indicate a single certificate or a collection of them.
+When the URI references a file, only the PEM format is supported.
+With URIs in the C<file:> scheme, this is generally treated like B<-CApath> or
+B<-CAfile>, depending on whether the URI indicates a directory or a single file.
+See L<ossl_store(7)> for more information on stores and supported schemes.
These certificates are also used when building the server certificate
chain (for example with L<openssl-s_server(1)>) or client certificate
=item B<-no-CAstore>
-Do not use the default store of trusted CA certificates.
+Do not use the default store of trusted certificates.
=back
=item B<-trusted> I<file>
-Parse I<file> as a set of one or more certificates.
+Parse I<file> as a set of one or more certificates in PEM format.
Each of them qualifies as trusted if has a suitable positive trust attribute
or it is apparently self-signed or the B<-partial_chain> option is specified.
This option implies the B<-no-CAfile>, B<-no-CApath>, and B<-no-CAstore> options
=item B<-untrusted> I<file>
-Parse I<file> as a set of one or more certificates.
+Parse I<file> as a set of one or more certificates in PEM format.
All certificates (typically of intermediate CAs) are considered untrusted
and may be used to
construct a certificate chain from the target certificate to a trust anchor.
=item "input-type" (B<OSSL_STORE_PARAM_INPUT_TYPE>) <utf8 string>
Type of the input format as a hint to use when decoding the objects in the
-store.
+store, such as C<DER> and C<PEM>.
+See L<openssl-format-options(1)> for details on their use for OpenSSL commands.
+
=back
projects / thirdparty / openssl.git / commitdiff
