diff options
author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-09-28 12:01:04 +0200 |
---|---|---|
committer | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-11-10 13:25:45 +0100 |
commit | acb934ff55e69d5cc3025d9ba20f4916089d1b83 (patch) | |
tree | eddcefe06332a6b1848b8c86964587447399eea7 /doc | |
parent | d3d6f49dd0e843f65329fb5181080bd68362ab3c (diff) |
openssl-cmp.pod.in: Clean up doc of -verify_email, -verify_hostname, and -verify_ip
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12932)
Diffstat (limited to 'doc')
-rw-r--r-- | doc/man1/openssl-cmp.pod.in | 93 |
1 files changed, 28 insertions, 65 deletions
diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in index 8f483309ea..59be1e8cb5 100644 --- a/doc/man1/openssl-cmp.pod.in +++ b/doc/man1/openssl-cmp.pod.in @@ -35,9 +35,6 @@ Certificate enrollment options: [B<-popo> I<number>] [B<-csr> I<filename>] [B<-out_trusted> I<filenames>] -[B<-verify_hostname> I<cn>] -[B<-verify_ip> I<ip>] -[B<-verify_email> I<email>] [B<-implicit_confirm>] [B<-disable_confirm>] [B<-certout> I<filename>] @@ -140,33 +137,7 @@ Mock server options: Certificate verification options, for both CMP and TLS: -[B<-policy> I<arg>] -[B<-purpose> I<purpose>] -[B<-verify_name> I<name>] -[B<-verify_depth> I<num>] -[B<-auth_level> I<level>] -[B<-attime> I<timestamp>] -[B<-ignore_critical>] -[B<-issuer_checks>] -[B<-policy_check>] -[B<-explicit_policy>] -[B<-inhibit_any>] -[B<-inhibit_map>] -[B<-x509_strict>] -[B<-extended_crl>] -[B<-use_deltas>] -[B<-policy_print>] -[B<-check_ss_sig>] -[B<-crl_check>] -[B<-crl_check_all>] -[B<-trusted_first>] -[B<-suiteB_128_only>] -[B<-suiteB_128>] -[B<-suiteB_192>] -[B<-partial_chain>] -[B<-no_alt_chains>] -[B<-no_check_time>] -[B<-allow_proxy_certs>] +{- $OpenSSL::safe::opt_v_synopsis -} =head1 DESCRIPTION @@ -378,23 +349,9 @@ Multiple filenames may be given, separated by commas and/or whitespace (where in the latter case the whole argument must be enclosed in "..."). Each source may contain multiple certificates. -=item B<-verify_hostname> I<name> - -When verification of the newly enrolled certificate is enabled (with the -B<-out_trusted> option), check if any DNS Subject Alternative Name (or if no -DNS SAN is included, the Common Name in the subject) equals the given B<name>. - -=item B<-verify_ip> I<ip> - -When verification of the newly enrolled certificate is enabled (with the -B<-out_trusted> option), check if there is -an IP address Subject Alternative Name matching the given IP address. - -=item B<-verify_email> I<email> - -When verification of the newly enrolled certificate is enabled (with the -B<-out_trusted> option), check if there is -an email address Subject Alternative Name matching the given email address. +The certificate verification options +B<-verify_hostname>, B<-verify_ip>, and B<-verify_email> +only affect the certificate verification enabled via this option. =item B<-implicit_confirm> @@ -511,7 +468,7 @@ When verifying signature-based protection of CMP response messages, these are the CA certificate(s) to trust while checking certificate chains during CMP server authentication. This option gives more flexibility than the B<-srvcert> option because the -protection certificate is not pinned but may be any certificate +server-side CMP signer certificate is not pinned but may be any certificate for which a chain to one of the given trusted certificates can be constructed. If no B<-trusted>, B<-srvcert>, and B<-secret> option is given @@ -521,6 +478,10 @@ Multiple filenames may be given, separated by commas and/or whitespace (where in the latter case the whole argument must be enclosed in "..."). Each source may contain multiple certificates. +The certificate verification options +B<-verify_hostname>, B<-verify_ip>, and B<-verify_email> +have no effect on the certificate verification enabled via this option. + =item B<-untrusted> I<sources> Non-trusted intermediate CA certificate(s). @@ -666,13 +627,17 @@ is included in the extraCerts field in signature-protected request messages. =item B<-own_trusted> I<filenames> If this list of certificates is provided then the chain built for -the CMP signer certificate given with the B<-cert> option is verified -using the given certificates as trust anchors. +the client-side CMP signer certificate given with the B<-cert> option +is verified using the given certificates as trust anchors. Multiple filenames may be given, separated by commas and/or whitespace (where in the latter case the whole argument must be enclosed in "..."). Each source may contain multiple certificates. +The certificate verification options +B<-verify_hostname>, B<-verify_ip>, and B<-verify_email> +have no effect on the certificate verification enabled via this option. + =item B<-key> I<filename> The corresponding private key file for the client's current certificate given in @@ -808,6 +773,10 @@ Multiple filenames may be given, separated by commas and/or whitespace (where in the latter case the whole argument must be enclosed in "..."). Each source may contain multiple certificates. +The certificate verification options +B<-verify_hostname>, B<-verify_ip>, and B<-verify_email> +have no effect on the certificate verification enabled via this option. + =item B<-tls_host> I<name> Address to be checked during hostname validation. @@ -913,6 +882,10 @@ Server private key (and cert) file pass phrase source. Trusted certificates for client authentication. +The certificate verification options +B<-verify_hostname>, B<-verify_ip>, and B<-verify_email> +have no effect on the certificate verification enabled via this option. + =item B<-srv_untrusted> I<filenames> Intermediate CA certs that may be useful when verifying client certificates. @@ -991,21 +964,11 @@ Accept RAVERIFED as proof-of-possession (POPO). =over 4 -=item B<-policy>, B<-purpose>, B<-verify_name>, B<-verify_depth>, -B<-attime>, -B<-ignore_critical>, B<-issuer_checks>, -B<-policy_check>, -B<-explicit_policy>, B<-inhibit_any>, B<-inhibit_map>, -B<-x509_strict>, B<-extended_crl>, B<-use_deltas>, -B<-policy_print>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>, -B<-trusted_first>, -B<-suiteB_128_only>, B<-suiteB_128>, B<-suiteB_192>, -B<-partial_chain>, B<-no_alt_chains>, B<-no_check_time>, -B<-auth_level>, -B<-allow_proxy_certs> - -Set various options of certificate chain verification. -See L<openssl(1)/Verification Options> for details. +{- $OpenSSL::safe::opt_v_item -} + +The certificate verification options +B<-verify_hostname>, B<-verify_ip>, and B<-verify_email> +only affect the certificate verification enabled via the B<-out_trusted> option. =back |