diff options
author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-04-30 19:38:58 +0200 |
---|---|---|
committer | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-05-13 19:42:00 +0200 |
commit | 6b326fc396d203d84f5461a0025495dfef88e1e8 (patch) | |
tree | 2fe8a5c834dd74e0cd3e0f187ce81617089604f5 /doc | |
parent | 8d9a4d833f12b0669f053a504268d13a46c079ad (diff) |
Improve CMP documentation regarding use of untrusted certs
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11470)
Diffstat (limited to 'doc')
-rw-r--r-- | doc/man1/openssl-cmp.pod.in | 2 | ||||
-rw-r--r-- | doc/man3/OSSL_CMP_CTX_new.pod | 8 |
2 files changed, 5 insertions, 5 deletions
diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in index b746d26c33..a99391ac6d 100644 --- a/doc/man1/openssl-cmp.pod.in +++ b/doc/man1/openssl-cmp.pod.in @@ -889,7 +889,7 @@ Trusted certificates for client authentication. =item B<-srv_untrusted> I<filenames> -Intermediate certs for constructing chains for CMP protection by client. +Intermediate CA certs that may be useful when verifying client certificates. =item B<-rsp_cert> I<filename> diff --git a/doc/man3/OSSL_CMP_CTX_new.pod b/doc/man3/OSSL_CMP_CTX_new.pod index 1bc9ef8cd0..b9b8ffb2e0 100644 --- a/doc/man3/OSSL_CMP_CTX_new.pod +++ b/doc/man3/OSSL_CMP_CTX_new.pod @@ -403,13 +403,13 @@ parameter the entry is cleared. OSSL_CMP_CTX_get0_trustedStore() returns a pointer to the certificate store containing trusted root CA certificates, which may be empty if unset. -OSSL_CMP_CTX_set1_untrusted_certs() takes over a list of certificates containing -non-trusted intermediate certs used for path construction in authentication -of the CMP server and potentially others (TLS server, newly enrolled cert). +OSSL_CMP_CTX_set1_untrusted_certs() sets up a list of non-trusted certificates +of intermediate CAs that may be useful for path construction when authenticating +the CMP server and when verifying newly enrolled certificates. The reference counts of those certificates handled successfully are increased. OSSL_CMP_CTX_get0_untrusted_certs(OSSL_CMP_CTX *ctx) returns a pointer to the -list of untrusted certs, which my be empty if unset. +list of untrusted certs, which may be empty if unset. OSSL_CMP_CTX_set1_clCert() sets the client certificate in the given B<ctx>. The public key of this B<clCert> must correspond to |