diff options
author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2021-01-07 20:02:39 +0100 |
---|---|---|
committer | Dr. David von Oheimb <dev@ddvo.net> | 2021-01-14 14:34:00 +0100 |
commit | c476c06f507a2c64a59c8cc86f2109aa00cf5133 (patch) | |
tree | 83787ab13dc20913c16fc816d1a442ea7e4b674a /doc | |
parent | f5f4fbaa44af055e0658c6810b91aa8607e8383a (diff) |
find_issuer(): When returning an expired issuer, take the most recently expired one
Also point out in the documenting comment that a non-expired issuer is preferred.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13805)
Diffstat (limited to 'doc')
-rw-r--r-- | doc/man1/openssl-verification-options.pod | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/doc/man1/openssl-verification-options.pod b/doc/man1/openssl-verification-options.pod index af1c7e3a43..620eacf5cc 100644 --- a/doc/man1/openssl-verification-options.pod +++ b/doc/man1/openssl-verification-options.pod @@ -36,6 +36,8 @@ name of the current certificate are subject to further tests. The relevant authority key identifier components of the current certificate (if present) must match the subject key identifier (if present) and issuer and serial number of the candidate issuer certificate. +If there is such a certificate, the first one found that is currently valid +is taken, otherwise the one that expired most recently of all such certificates. The lookup first searches for issuer certificates in the trust store. If it does not find a match there it consults |