1OPENSSL-VERIFY(1ossl) OpenSSL OPENSSL-VERIFY(1ossl)
2
6 openssl-verify - certificate verification command
7
9 openssl verify [-help] [-CRLfile filename|uri] [-crl_download]
10 [-show_chain] [-verbose] [-trusted filename|uri] [-untrusted
11 filename|uri] [-vfyopt nm:v] [-nameopt option] [-CAfile file]
12 [-no-CAfile] [-CApath dir] [-no-CApath] [-CAstore uri] [-no-CAstore]
13 [-engine id] [-allow_proxy_certs] [-attime timestamp] [-no_check_time]
14 [-check_ss_sig] [-crl_check] [-crl_check_all] [-explicit_policy]
15 [-extended_crl] [-ignore_critical] [-inhibit_any] [-inhibit_map]
16 [-partial_chain] [-policy arg] [-policy_check] [-policy_print]
17 [-purpose purpose] [-suiteB_128] [-suiteB_128_only] [-suiteB_192]
18 [-trusted_first] [-no_alt_chains] [-use_deltas] [-auth_level num]
19 [-verify_depth num] [-verify_email email] [-verify_hostname hostname]
20 [-verify_ip ip] [-verify_name name] [-x509_strict] [-issuer_checks]
21 [-provider name] [-provider-path path] [-propquery propq] [--]
22 [certificate ...]
23
25 This command verifies certificate chains. If a certificate chain has
26 multiple problems, this program attempts to display all of them.
27
29 -help
30 Print out a usage message.
31 -CRLfile filename|uri
33 The file or URI should contain one or more CRLs in PEM or DER
34 format. This option can be specified more than once to include
35 CRLs from multiple sources.
36 -crl_download
38 Attempt to download CRL information for certificates via their CDP
39 entries.
40 -show_chain
42 Display information about the certificate chain that has been built
43 (if successful). Certificates in the chain that came from the
44 untrusted list will be flagged as "untrusted".
45 -verbose
47 Print extra information about the operations being performed.
48 -trusted filename|uri
50 A file or URI of (more or less) trusted certificates. See
51 openssl-verification-options(1) for more information on trust
52 settings.
53 This option can be specified more than once to load certificates
55 from multiple sources.
56 -untrusted filename|uri
58 A file or URI of untrusted certificates to use for chain building.
59 This option can be specified more than once to load certificates
60 from multiple sources.
61 -vfyopt nm:v
63 Pass options to the signature algorithm during verify operations.
64 Names and values of these options are algorithm-specific.
65 -nameopt option
67 This specifies how the subject or issuer names are displayed. See
68 openssl-namedisplay-options(1) for details.
69 -engine id
71 See "Engine Options" in openssl(1). This option is deprecated.
72 To load certificates or CRLs that require engine support, specify
74 the -engine option before any of the -trusted, -untrusted or
75 -CRLfile options.
76 -CAfile file, -no-CAfile, -CApath dir, -no-CApath, -CAstore uri,
78 -no-CAstore
79 See "Trusted Certificate Options" in
80 openssl-verification-options(1) for details.
81 -allow_proxy_certs, -attime, -no_check_time, -check_ss_sig, -crl_check,
83 -crl_check_all, -explicit_policy, -extended_crl, -ignore_critical,
84 -inhibit_any, -inhibit_map, -no_alt_chains, -partial_chain, -policy,
85 -policy_check, -policy_print, -purpose, -suiteB_128, -suiteB_128_only,
86 -suiteB_192, -trusted_first, -use_deltas, -auth_level, -verify_depth,
87 -verify_email, -verify_hostname, -verify_ip, -verify_name, -x509_strict
88 -issuer_checks
89 Set various options of certificate chain verification. See
90 "Verification Options" in openssl-verification-options(1) for
91 details.
92 -provider name
94 -provider-path path
95 -propquery propq
96 See "Provider Options" in openssl(1), provider(7), and property(7).
97 -- Indicates the last option. All arguments following this are assumed
99 to be certificate files. This is useful if the first certificate
100 filename begins with a -.
101 certificate ...
103 One or more target certificates to verify, one per file. If no
104 certificates are given, this command will attempt to read a single
105 certificate from standard input.
106
108 When a verify operation fails the output messages can be somewhat
109 cryptic. The general form of the error message is:
110 server.pem: /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit)
112 error 24 at 1 depth lookup:invalid CA certificate
113 The first line contains the name of the certificate being verified
115 followed by the subject name of the certificate. The second line
116 contains the error number and the depth. The depth is number of the
117 certificate being verified when a problem was detected starting with
118 zero for the target ("leaf") certificate itself then 1 for the CA that
119 signed the target certificate and so on. Finally a textual version of
120 the error number is presented.
121 A list of the error codes and messages can be found in
123 X509_STORE_CTX_get_error(3); the full list is defined in the header
124 file <openssl/x509_vfy.h>.
125 This command ignores many errors, in order to allow all the problems
127 with a certificate chain to be determined.
128
130 openssl-verification-options(1), openssl-x509(1), ossl_store-file(7)
131
133 The -show_chain option was added in OpenSSL 1.1.0.
134 The -engine option was deprecated in OpenSSL 3.0.
136
138 Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
139 Licensed under the Apache License 2.0 (the "License"). You may not use
141 this file except in compliance with the License. You can obtain a copy
142 in the file LICENSE in the source distribution or at
143 <https://www.openssl.org/source/license.html>.
1443.0.5 2022-11-01 OPENSSL-VERIFY(1ossl)