1=pod 2{- OpenSSL::safe::output_do_not_edit_headers(); -} 3 4=head1 NAME 5 6openssl-verify - certificate verification command 7 8=head1 SYNOPSIS 9 10B<openssl> B<verify> 11[B<-help>] 12[B<-CRLfile> I<filename>|I<uri>] 13[B<-crl_download>] 14[B<-show_chain>] 15[B<-verbose>] 16[B<-trusted> I<filename>|I<uri>] 17[B<-untrusted> I<filename>|I<uri>] 18[B<-vfyopt> I<nm>:I<v>] 19{- $OpenSSL::safe::opt_name_synopsis -} 20{- $OpenSSL::safe::opt_trust_synopsis -} 21{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_v_synopsis -} 22{- $OpenSSL::safe::opt_provider_synopsis -} 23[B<-->] 24[I<certificate> ...] 25 26=head1 DESCRIPTION 27 28This command verifies certificate chains. If a certificate chain has multiple 29problems, this program attempts to display all of them. 30 31=head1 OPTIONS 32 33=over 4 34 35=item B<-help> 36 37Print out a usage message. 38 39=item B<-CRLfile> I<filename>|I<uri> 40 41The file or URI should contain one or more CRLs in PEM or DER format. 42This option can be specified more than once to include CRLs from multiple 43sources. 44 45=item B<-crl_download> 46 47Attempt to download CRL information for certificates via their CDP entries. 48 49=item B<-show_chain> 50 51Display information about the certificate chain that has been built (if 52successful). Certificates in the chain that came from the untrusted list will be 53flagged as "untrusted". 54 55=item B<-verbose> 56 57Print extra information about the operations being performed. 58 59=item B<-trusted> I<filename>|I<uri> 60 61A file or URI of (more or less) trusted certificates. 62See L<openssl-verification-options(1)> for more information on trust settings. 63 64This option can be specified more than once to load certificates from multiple 65sources. 66 67=item B<-untrusted> I<filename>|I<uri> 68 69A file or URI of untrusted certificates to use for chain building. 70This option can be specified more than once to load certificates from multiple 71sources. 72 73=item B<-vfyopt> I<nm>:I<v> 74 75Pass options to the signature algorithm during verify operations. 76Names and values of these options are algorithm-specific. 77 78{- $OpenSSL::safe::opt_name_item -} 79 80{- $OpenSSL::safe::opt_engine_item -} 81{- output_off() if $disabled{"deprecated-3.0"}; "" -} 82To load certificates or CRLs that require engine support, specify the 83B<-engine> option before any of the 84B<-trusted>, B<-untrusted> or B<-CRLfile> options. 85{- output_on() if $disabled{"deprecated-3.0"}; "" -} 86 87{- $OpenSSL::safe::opt_trust_item -} 88 89{- $OpenSSL::safe::opt_v_item -} 90 91{- $OpenSSL::safe::opt_provider_item -} 92 93=item B<--> 94 95Indicates the last option. All arguments following this are assumed to be 96certificate files. This is useful if the first certificate filename begins 97with a B<->. 98 99=item I<certificate> ... 100 101One or more target certificates to verify, one per file. If no certificates are 102given, this command will attempt to read a single certificate from standard 103input. 104 105=back 106 107=head1 DIAGNOSTICS 108 109When a verify operation fails the output messages can be somewhat cryptic. The 110general form of the error message is: 111 112 server.pem: /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit) 113 error 24 at 1 depth lookup:invalid CA certificate 114 115The first line contains the name of the certificate being verified followed by 116the subject name of the certificate. The second line contains the error number 117and the depth. The depth is number of the certificate being verified when a 118problem was detected starting with zero for the target ("leaf") certificate 119itself then 1 for the CA that signed the target certificate and so on. 120Finally a textual version of the error number is presented. 121 122A list of the error codes and messages can be found in 123L<X509_STORE_CTX_get_error(3)>; the full list is defined in the header file 124F<< <openssl/x509_vfy.h> >>. 125 126This command ignores many errors, in order to allow all the problems with a 127certificate chain to be determined. 128 129=head1 SEE ALSO 130 131L<openssl-verification-options(1)>, 132L<openssl-x509(1)>, 133L<ossl_store-file(7)> 134 135=head1 HISTORY 136 137The B<-show_chain> option was added in OpenSSL 1.1.0. 138 139The B<-engine option> was deprecated in OpenSSL 3.0. 140 141=head1 COPYRIGHT 142 143Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. 144 145Licensed under the Apache License 2.0 (the "License"). You may not use 146this file except in compliance with the License. You can obtain a copy 147in the file LICENSE in the source distribution or at 148L<https://www.openssl.org/source/license.html>. 149 150=cut 151