提交 2866441a 编写于 作者: H Hubert Kario 提交者: Matt Caswell

sort the options in verify man page alphabetically

just making sure the options are listed in the alphabetical order
both in SYNOPSIS and DESCRIPTION, no text changes
上级 cd028c8e
......@@ -7,37 +7,37 @@ verify - Utility to verify certificates.
=head1 SYNOPSIS
B<openssl> B<verify>
[B<-CApath directory>]
[B<-CAfile file>]
[B<-CApath directory>]
[B<-attime timestamp>]
[B<-check_ss_sig>]
[B<-trusted_first>]
[B<-purpose purpose>]
[B<-policy arg>]
[B<-ignore_critical>]
[B<-crl_check>]
[B<-crl_check_all>]
[B<-policy_check>]
[B<-explicit_policy>]
[B<-inhibit_any>]
[B<-inhibit_map>]
[B<-x509_strict>]
[B<-extended_crl>]
[B<-use_deltas>]
[B<-policy_print>]
[B<-untrusted file>]
[B<-help>]
[B<-ignore_critical>]
[B<-inhibit_any>]
[B<-inhibit_map>]
[B<-issuer_checks>]
[B<-attime timestamp>]
[B<-partial_chain>]
[B<-policy arg>]
[B<-policy_check>]
[B<-policy_print>]
[B<-purpose purpose>]
[B<-suiteB_128>]
[B<-suiteB_128_only>]
[B<-suiteB_192>]
[B<-trusted_first>]
[B<-untrusted file>]
[B<-use_deltas>]
[B<-verbose>]
[B<-verify_depth num>]
[B<-verify_email email>]
[B<-verify_hostname hostname>]
[B<-verify_ip ip>]
[B<-verify_name name>]
[B<-x509_strict>]
[B<->]
[certificates]
......@@ -50,6 +50,11 @@ The B<verify> command verifies certificate chains.
=over 4
=item B<-CAfile file>
A file of trusted certificates. The file should contain multiple certificates
in PEM format concatenated together.
=item B<-CApath directory>
A directory of trusted certificates. The certificates should have names
......@@ -58,37 +63,53 @@ form ("hash" is the hashed certificate subject name: see the B<-hash> option
of the B<x509> utility). Under Unix the B<c_rehash> script will automatically
create symbolic links to a directory of certificates.
=item B<-CAfile file>
=item B<-attime timestamp>
A file of trusted certificates. The file should contain multiple certificates
in PEM format concatenated together.
Perform validation checks using time specified by B<timestamp> and not
current system time. B<timestamp> is the number of seconds since
01.01.1970 (UNIX time).
=item B<-untrusted file>
=item B<-check_ss_sig>
A file of untrusted certificates. The file should contain multiple certificates
in PEM format concatenated together.
Verify the signature on the self-signed root CA. This is disabled by default
because it doesn't add any security.
=item B<-trusted_first>
=item B<-crl_check>
Use certificates in CA file or CA directory before certificates in untrusted
file when building the trust chain to verify certificates.
This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
Checks end entity certificate validity by attempting to look up a valid CRL.
If a valid CRL cannot be found an error occurs.
=item B<-purpose purpose>
=item B<-crl_check_all>
The intended use for the certificate. If this option is not specified,
B<verify> will not consider certificate purpose during chain verification.
Currently accepted uses are B<sslclient>, B<sslserver>, B<nssslserver>,
B<smimesign>, B<smimeencrypt>. See the B<VERIFY OPERATION> section for more
information.
Checks the validity of B<all> certificates in the chain by attempting
to look up valid CRLs.
=item B<-explicit_policy>
Set policy variable require-explicit-policy (see RFC5280).
=item B<-extended_crl>
Enable extended CRL features such as indirect CRLs and alternate CRL
signing keys.
=item B<-help>
Print out a usage message.
=item B<-verbose>
=item B<-ignore_critical>
Print extra information about the operations being performed.
Normally if an unhandled critical extension is present which is not
supported by OpenSSL the certificate is rejected (as required by RFC5280).
If this option is set critical extensions are ignored.
=item B<-inhibit_any>
Set policy variable inhibit-any-policy (see RFC5280).
=item B<-inhibit_map>
Set policy variable inhibit-policy-mapping (see RFC5280).
=item B<-issuer_checks>
......@@ -98,11 +119,9 @@ rejected. The presence of rejection messages does not itself imply that
anything is wrong; during the normal verification process, several
rejections may take place.
=item B<-attime timestamp>
=item B<-partial_chain>
Perform validation checks using time specified by B<timestamp> and not
current system time. B<timestamp> is the number of seconds since
01.01.1970 (UNIX time).
Allow partial certificate chain if at least one certificate is in trusted store.
=item B<-policy arg>
......@@ -114,68 +133,44 @@ This argument can appear more than once.
Enables certificate policy processing.
=item B<-explicit_policy>
Set policy variable require-explicit-policy (see RFC5280).
=item B<-inhibit_any>
Set policy variable inhibit-any-policy (see RFC5280).
=item B<-inhibit_map>
Set policy variable inhibit-policy-mapping (see RFC5280).
=item B<-policy_print>
Print out diagnostics related to policy processing.
=item B<-crl_check>
Checks end entity certificate validity by attempting to look up a valid CRL.
If a valid CRL cannot be found an error occurs.
=item B<-crl_check_all>
=item B<-purpose purpose>
Checks the validity of B<all> certificates in the chain by attempting
to look up valid CRLs.
The intended use for the certificate. If this option is not specified,
B<verify> will not consider certificate purpose during chain verification.
Currently accepted uses are B<sslclient>, B<sslserver>, B<nssslserver>,
B<smimesign>, B<smimeencrypt>. See the B<VERIFY OPERATION> section for more
information.
=item B<-ignore_critical>
=item B<-suiteB_128_only>, B<-suiteB_128>, B<-suiteB_192>
Normally if an unhandled critical extension is present which is not
supported by OpenSSL the certificate is rejected (as required by RFC5280).
If this option is set critical extensions are ignored.
enable the Suite B mode operation at 128 bit Level of Security, 128 bit or
192 bit, or only 192 bit Level of Security respectively.
See RFC6460 for details. In particular the supported signature algorithms are
reduced to support only ECDSA and SHA256 or SHA384 and only the elliptic curves
P-256 and P-384.
=item B<-x509_strict>
=item B<-trusted_first>
For strict X.509 compliance, disable non-compliant workarounds for broken
certificates.
Use certificates in CA file or CA directory before certificates in untrusted
file when building the trust chain to verify certificates.
This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
=item B<-extended_crl>
=item B<-untrusted file>
Enable extended CRL features such as indirect CRLs and alternate CRL
signing keys.
A file of untrusted certificates. The file should contain multiple certificates
in PEM format concatenated together.
=item B<-use_deltas>
Enable support for delta CRLs.
=item B<-check_ss_sig>
Verify the signature on the self-signed root CA. This is disabled by default
because it doesn't add any security.
=item B<-partial_chain>
Allow partial certificate chain if at least one certificate is in trusted store.
=item B<-suiteB_128_only>, B<-suiteB_128>, B<-suiteB_192>
=item B<-verbose>
enable the Suite B mode operation at 128 bit Level of Security, 128 bit or
192 bit, or only 192 bit Level of Security respectively.
See RFC6460 for details. In particular the supported signature algorithms are
reduced to support only ECDSA and SHA256 or SHA384 and only the elliptic curves
P-256 and P-384.
Print extra information about the operations being performed.
=item B<-verify_depth num>
......@@ -202,6 +197,11 @@ Use default verification options like trust model and required certificate
policies identified by B<name>.
Supported usages include: default, pkcs7, smime_sign, ssl_client, ssl_server.
=item B<-x509_strict>
For strict X.509 compliance, disable non-compliant workarounds for broken
certificates.
=item B<->
Indicates the last option. All arguments following this are assumed to be
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册