提交 2866441a 编写于 作者: H Hubert Kario 提交者: Matt Caswell

sort the options in verify man page alphabetically

just making sure the options are listed in the alphabetical order
both in SYNOPSIS and DESCRIPTION, no text changes
上级 cd028c8e
...@@ -7,37 +7,37 @@ verify - Utility to verify certificates. ...@@ -7,37 +7,37 @@ verify - Utility to verify certificates.
=head1 SYNOPSIS =head1 SYNOPSIS
B<openssl> B<verify> B<openssl> B<verify>
[B<-CApath directory>]
[B<-CAfile file>] [B<-CAfile file>]
[B<-CApath directory>]
[B<-attime timestamp>]
[B<-check_ss_sig>] [B<-check_ss_sig>]
[B<-trusted_first>]
[B<-purpose purpose>]
[B<-policy arg>]
[B<-ignore_critical>]
[B<-crl_check>] [B<-crl_check>]
[B<-crl_check_all>] [B<-crl_check_all>]
[B<-policy_check>]
[B<-explicit_policy>] [B<-explicit_policy>]
[B<-inhibit_any>]
[B<-inhibit_map>]
[B<-x509_strict>]
[B<-extended_crl>] [B<-extended_crl>]
[B<-use_deltas>]
[B<-policy_print>]
[B<-untrusted file>]
[B<-help>] [B<-help>]
[B<-ignore_critical>]
[B<-inhibit_any>]
[B<-inhibit_map>]
[B<-issuer_checks>] [B<-issuer_checks>]
[B<-attime timestamp>]
[B<-partial_chain>] [B<-partial_chain>]
[B<-policy arg>]
[B<-policy_check>]
[B<-policy_print>]
[B<-purpose purpose>]
[B<-suiteB_128>] [B<-suiteB_128>]
[B<-suiteB_128_only>] [B<-suiteB_128_only>]
[B<-suiteB_192>] [B<-suiteB_192>]
[B<-trusted_first>]
[B<-untrusted file>]
[B<-use_deltas>]
[B<-verbose>] [B<-verbose>]
[B<-verify_depth num>] [B<-verify_depth num>]
[B<-verify_email email>] [B<-verify_email email>]
[B<-verify_hostname hostname>] [B<-verify_hostname hostname>]
[B<-verify_ip ip>] [B<-verify_ip ip>]
[B<-verify_name name>] [B<-verify_name name>]
[B<-x509_strict>]
[B<->] [B<->]
[certificates] [certificates]
...@@ -50,6 +50,11 @@ The B<verify> command verifies certificate chains. ...@@ -50,6 +50,11 @@ The B<verify> command verifies certificate chains.
=over 4 =over 4
=item B<-CAfile file>
A file of trusted certificates. The file should contain multiple certificates
in PEM format concatenated together.
=item B<-CApath directory> =item B<-CApath directory>
A directory of trusted certificates. The certificates should have names A directory of trusted certificates. The certificates should have names
...@@ -58,37 +63,53 @@ form ("hash" is the hashed certificate subject name: see the B<-hash> option ...@@ -58,37 +63,53 @@ form ("hash" is the hashed certificate subject name: see the B<-hash> option
of the B<x509> utility). Under Unix the B<c_rehash> script will automatically of the B<x509> utility). Under Unix the B<c_rehash> script will automatically
create symbolic links to a directory of certificates. create symbolic links to a directory of certificates.
=item B<-CAfile file> =item B<-attime timestamp>
A file of trusted certificates. The file should contain multiple certificates Perform validation checks using time specified by B<timestamp> and not
in PEM format concatenated together. current system time. B<timestamp> is the number of seconds since
01.01.1970 (UNIX time).
=item B<-untrusted file> =item B<-check_ss_sig>
A file of untrusted certificates. The file should contain multiple certificates Verify the signature on the self-signed root CA. This is disabled by default
in PEM format concatenated together. because it doesn't add any security.
=item B<-trusted_first> =item B<-crl_check>
Use certificates in CA file or CA directory before certificates in untrusted Checks end entity certificate validity by attempting to look up a valid CRL.
file when building the trust chain to verify certificates. If a valid CRL cannot be found an error occurs.
This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
=item B<-purpose purpose> =item B<-crl_check_all>
The intended use for the certificate. If this option is not specified, Checks the validity of B<all> certificates in the chain by attempting
B<verify> will not consider certificate purpose during chain verification. to look up valid CRLs.
Currently accepted uses are B<sslclient>, B<sslserver>, B<nssslserver>,
B<smimesign>, B<smimeencrypt>. See the B<VERIFY OPERATION> section for more =item B<-explicit_policy>
information.
Set policy variable require-explicit-policy (see RFC5280).
=item B<-extended_crl>
Enable extended CRL features such as indirect CRLs and alternate CRL
signing keys.
=item B<-help> =item B<-help>
Print out a usage message. Print out a usage message.
=item B<-verbose> =item B<-ignore_critical>
Print extra information about the operations being performed. Normally if an unhandled critical extension is present which is not
supported by OpenSSL the certificate is rejected (as required by RFC5280).
If this option is set critical extensions are ignored.
=item B<-inhibit_any>
Set policy variable inhibit-any-policy (see RFC5280).
=item B<-inhibit_map>
Set policy variable inhibit-policy-mapping (see RFC5280).
=item B<-issuer_checks> =item B<-issuer_checks>
...@@ -98,11 +119,9 @@ rejected. The presence of rejection messages does not itself imply that ...@@ -98,11 +119,9 @@ rejected. The presence of rejection messages does not itself imply that
anything is wrong; during the normal verification process, several anything is wrong; during the normal verification process, several
rejections may take place. rejections may take place.
=item B<-attime timestamp> =item B<-partial_chain>
Perform validation checks using time specified by B<timestamp> and not Allow partial certificate chain if at least one certificate is in trusted store.
current system time. B<timestamp> is the number of seconds since
01.01.1970 (UNIX time).
=item B<-policy arg> =item B<-policy arg>
...@@ -114,68 +133,44 @@ This argument can appear more than once. ...@@ -114,68 +133,44 @@ This argument can appear more than once.
Enables certificate policy processing. Enables certificate policy processing.
=item B<-explicit_policy>
Set policy variable require-explicit-policy (see RFC5280).
=item B<-inhibit_any>
Set policy variable inhibit-any-policy (see RFC5280).
=item B<-inhibit_map>
Set policy variable inhibit-policy-mapping (see RFC5280).
=item B<-policy_print> =item B<-policy_print>
Print out diagnostics related to policy processing. Print out diagnostics related to policy processing.
=item B<-crl_check> =item B<-purpose purpose>
Checks end entity certificate validity by attempting to look up a valid CRL.
If a valid CRL cannot be found an error occurs.
=item B<-crl_check_all>
Checks the validity of B<all> certificates in the chain by attempting The intended use for the certificate. If this option is not specified,
to look up valid CRLs. B<verify> will not consider certificate purpose during chain verification.
Currently accepted uses are B<sslclient>, B<sslserver>, B<nssslserver>,
B<smimesign>, B<smimeencrypt>. See the B<VERIFY OPERATION> section for more
information.
=item B<-ignore_critical> =item B<-suiteB_128_only>, B<-suiteB_128>, B<-suiteB_192>
Normally if an unhandled critical extension is present which is not enable the Suite B mode operation at 128 bit Level of Security, 128 bit or
supported by OpenSSL the certificate is rejected (as required by RFC5280). 192 bit, or only 192 bit Level of Security respectively.
If this option is set critical extensions are ignored. See RFC6460 for details. In particular the supported signature algorithms are
reduced to support only ECDSA and SHA256 or SHA384 and only the elliptic curves
P-256 and P-384.
=item B<-x509_strict> =item B<-trusted_first>
For strict X.509 compliance, disable non-compliant workarounds for broken Use certificates in CA file or CA directory before certificates in untrusted
certificates. file when building the trust chain to verify certificates.
This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
=item B<-extended_crl> =item B<-untrusted file>
Enable extended CRL features such as indirect CRLs and alternate CRL A file of untrusted certificates. The file should contain multiple certificates
signing keys. in PEM format concatenated together.
=item B<-use_deltas> =item B<-use_deltas>
Enable support for delta CRLs. Enable support for delta CRLs.
=item B<-check_ss_sig> =item B<-verbose>
Verify the signature on the self-signed root CA. This is disabled by default
because it doesn't add any security.
=item B<-partial_chain>
Allow partial certificate chain if at least one certificate is in trusted store.
=item B<-suiteB_128_only>, B<-suiteB_128>, B<-suiteB_192>
enable the Suite B mode operation at 128 bit Level of Security, 128 bit or Print extra information about the operations being performed.
192 bit, or only 192 bit Level of Security respectively.
See RFC6460 for details. In particular the supported signature algorithms are
reduced to support only ECDSA and SHA256 or SHA384 and only the elliptic curves
P-256 and P-384.
=item B<-verify_depth num> =item B<-verify_depth num>
...@@ -202,6 +197,11 @@ Use default verification options like trust model and required certificate ...@@ -202,6 +197,11 @@ Use default verification options like trust model and required certificate
policies identified by B<name>. policies identified by B<name>.
Supported usages include: default, pkcs7, smime_sign, ssl_client, ssl_server. Supported usages include: default, pkcs7, smime_sign, ssl_client, ssl_server.
=item B<-x509_strict>
For strict X.509 compliance, disable non-compliant workarounds for broken
certificates.
=item B<-> =item B<->
Indicates the last option. All arguments following this are assumed to be Indicates the last option. All arguments following this are assumed to be
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册