diff options
-rw-r--r-- | apps/cmp.c | 4 | ||||
-rw-r--r-- | doc/man1/openssl-cmp.pod.in | 16 |
2 files changed, 13 insertions, 7 deletions
diff --git a/apps/cmp.c b/apps/cmp.c index d0f3c020c1..9f1f115436 100644 --- a/apps/cmp.c +++ b/apps/cmp.c @@ -395,7 +395,9 @@ const OPTIONS cmp_options[] = { {"mac", OPT_MAC, 's', "MAC algorithm to use in PBM-based message protection. Default \"hmac-sha1\""}, {"extracerts", OPT_EXTRACERTS, 's', - "Certificates to append in extraCerts field of outgoing messages"}, + "Certificates to append in extraCerts field of outgoing messages."}, + {OPT_MORE_STR, 0, 0, + "This can be used as the default CMP signer cert chain to include"}, {"unprotected_requests", OPT_UNPROTECTED_REQUESTS, '-', "Send messages without CMP-level protection"}, diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in index 2d484805b3..97a03798a8 100644 --- a/doc/man1/openssl-cmp.pod.in +++ b/doc/man1/openssl-cmp.pod.in @@ -499,11 +499,14 @@ Each source may contain multiple certificates. =item B<-untrusted> I<sources> -Non-trusted intermediate CA certificate(s) that may be useful for cert path -construction for the CMP client certificate (to include in the extraCerts field -of outgoing messages), for the TLS client certificate (if TLS is enabled), +Non-trusted intermediate CA certificate(s). +Any extra certificates given with the B<-cert> option are appended to it. +All these certificates may be useful for cert path construction +for the CMP client certificate (to include in the extraCerts field of outgoing +messages) and for the TLS client certificate (if TLS is enabled) +as well as for chain building when verifying the CMP server certificate (checking signature-based -CMP message protection), and when verifying newly enrolled certificates. +CMP message protection) and when verifying newly enrolled certificates. Multiple filenames may be given, separated by commas and/or whitespace. Each file may contain multiple certificates. @@ -713,8 +716,9 @@ The only value with effect is B<ENGINE>. =item B<-otherpass> I<arg> Pass phrase source for certificate given with the B<-trusted>, B<-untrusted>, -B<-own_trusted>, -B<-out_trusted>, B<-extracerts>, B<-tls_extra>, or B<-tls_trusted> options. +B<-own_trusted>, B<-srvcert>, B<-out_trusted>, B<-extracerts>, +B<-srv_trusted>, B<-srv_untrusted>, B<-rsp_extracerts>, B<-rsp_capubs>, +B<-tls_extra>, and B<-tls_trusted> options. If not given here, the password will be prompted for if needed. For more information about the format of B<arg> see the |