Man page or keyword search:   man All Sections 1 - General Commands 2 - System Calls 3 - Subroutines, Functions 4 - Special Files 5 - File Formats 6 - Games and Screensavers 7 - Macros and Conventions 8 - Maintenence Commands 9 - Kernel Interface New Commands Server 4.4BSD AIX Alpinelinux Archlinux Aros BSDOS BSDi Bifrost CentOS Cygwin Darwin Debian DigitalUNIX DragonFly ElementaryOS Fedora FreeBSD Gentoo GhostBSD HP-UX Haiku Hurd IRIX Inferno JazzOS Kali Knoppix LinuxMint MacOSX Mageia Mandriva Manjaro Minix MirBSD NeXTSTEP NetBSD OPENSTEP OSF1 OpenBSD OpenDarwin OpenIndiana OpenMandriva OpenServer OpenSuSE OpenVMS Oracle PC-BSD Peanut Pidora Plan9 QNX Raspbian RedHat Scientific Slackware SmartOS Solaris SuSE SunOS Syllable Tru64 UNIXv7 Ubuntu Ultrix UnixWare Xenix YellowDog aLinux   12896 pages apropos Keyword Search (all sections) Output format html ascii pdf view pdf save postscript

verify(1ssl)							  verify(1ssl)

NAME
       verify - Utility to verify certificates

SYNOPSIS
       openssl	verify	[-CApath  directory] [-CAfile filename] [-purpose pur‐
       pose] [-untrusted filename]  [-help]  [-issuer_checks]  [-verbose]  [-]
       [certificates]

DESCRIPTION
OPTIONS
       A directory of trusted certificates. The certificates should have names
       of the form hash.0 or have symbolic links to them of this form.	 Under
       UNIX  the c_rehash script will automatically create symbolic links to a
       directory of certificates. (Hash	 is  the  hashed  certificate  subject
       name.  See  the	-hash  option of the x509 command.)  A file of trusted
       certificates. The file should contain multiple certificates in PEM for‐
       mat  concatenated together.  A file of untrusted certificates. The file
       should contain multiple certificates The intended use for the  certifi‐
       cate. Without this option no chain verification will be done. Currently
       accepted	 uses  are  sslclient,	sslserver,   nssslserver,   smimesign,
       smimeencrypt.  See  the	Verify Operation section for more information.
       Prints out a usage message.  Prints extra information about the	opera‐
       tions being performed.  Prints out diagnostics relating to searches for
       the issuer certificate of the current certificate.  This shows why each
       candidate  issuer  certificate  was  rejected.  However the presence of
       rejection messages does not itself imply that anything is wrong.	  Dur‐
       ing  the	 normal	 verify	 process,  several  rejections may take place.
       Marks the last option. All arguments following this are assumed	to  be
       certificate  files.  This  is  useful if the first certificate filename
       begins with a -.	 One or more certificates to verify. If no certificate
       filenames  are  included	 then an attempt is made to read a certificate
       from standard input. They should all be in PEM format.

DESCRIPTION
       The verify utility verifies certificate chains. It uses the same	 func‐
       tions  as  the  internal SSL and S/MIME verification. However, there is
       one crucial difference between the verify operations performed  by  the
       verify  program. Wherever possible an attempt is made to continue after
       an error. Usually the verify operation would halt on the	 first	error.
       This allows all the problems with a certificate chain to be determined.

       The verify operation consists of a number of separate steps.

       First,  a  certificate  chain is built, starting from the supplied cer‐
       tificate and ending in the root CA. It is an error if the  whole	 chain
       cannot  be  built.  The chain is built  by looking up the issuer's cer‐
       tificate of the current certificate. If a certificate is found which is
       its own issuer it is assumed to be the root CA.

       The  process of looking up the issuers certificate involves a number of
       steps. In versions of OpenSSL before 0.9.5a the first certificate whose
       subject	name matched the issuer of the current certificate was assumed
       to be the issuer's certificate. In OpenSSL 0.9.6 and later all certifi‐
       cates  whose  subject  name matches the issuer name of the current cer‐
       tificate are  subject to further	 tests.	 The  relevant	authority  key
       identifier  components  of  the	current	 certificate (if present) must
       match the subject key identifier (if present)  and  issuer  and	serial
       number  of the candidate issuer. In addition, the keyUsage extension of
       the candidate issuer (if present) must permit certificate signing.  The
       lookup  first  looks  in	 the  list of untrusted certificates and if no
       match is found the remaining lookups are from the trusted certificates.
       The root CA is always looked up in the trusted certificate list. If the
       certificate to verify is a root certificate then an exact match must be
       found  in  the  trusted	list.	The second operation is to check every
       untrusted certificate's extensions for consistency  with	 the  supplied
       purpose.	 If  the  -purpose  option  is not included then no checks are
       done. The supplied or leaf certificate must have extensions  compatible
       with the supplied purpose and all other certificates must also be valid
       CA certificates. The precise extensions required are described in  more
       detail  in the Certificate Extensions section of the x509 utility.  The
       third operation is to check the trust settings on the root CA. The root
       CA  should  be trusted for the supplied purpose. For compatibility with
       previous versions of SSLeay and OpenSSL a  certificate  with  no	 trust
       settings	 is considered to be valid for all purposes.  The final opera‐
       tion is to check the validity of the certificate	 chain.	 The  validity
       period is checked against the current system time and the notBefore and
       notAfter dates in the certificate. The certificate signatures are  also
       checked at this point.

       If all operations complete successfully then the certificate is consid‐
       ered valid. If any operation fails then the certificate is not valid.

RESTRICTIONS
       Although the issuer checks are a considerably improvement over the  old
       technique   they	 still	suffer	from  limitations  in  the  underlying
       X509_LOOKUP API. One consequence of this is that	 trusted  certificates
       with  matching  subject name must either appear in a file (as specified
       by the -CAfile option) or a directory (as  specified  by	 -CApath.   If
       they  occur in both then only the certificates in the file will be rec‐
       ognized.

       Previous versions of OpenSSL assume certificates with matching  subject
       name are identical and mishandled them.

ERRORS
       When  a	verify	operation  fails,  the output messages can be somewhat
       cryptic.	 The  general  form  of	 the  error  message  is:  server.pem:
       /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit)
	error 24 at 1 depth lookup:invalid CA certificate

       The first line contains the name of the certificate being verified fol‐
       lowed by the subject name of the certificate. The second line  contains
       the error number and the depth. The depth is the number of the certifi‐
       cate being verified when a problem was detected, starting with zero for
       the certificate being verified itself then 1 for the CA that signed the
       certificate and so on. Finally a text version of the  error  number  is
       presented.

       A  list	of  the	 error	codes  and  messages is shown below. This also
       includes the name of the error code  as	defined	 in  the  header  file
       x509_vfy.h  Some	 of  the  error	 codes are defined but never returned.
       These are described as unused.	The  operation	was  successful.   The
       issuer  certificate  could not be found. This occurs if the issuer cer‐
       tificate of an untrusted certificate cannot be found.   The  CRL	 of  a
       certificate  could  not	be  found.  Unused.  The certificate signature
       could not be decrypted. This means  that	 the  actual  signature	 value
       could not be determined rather than it not matching the expected value,
       this is only meaningful for RSA keys.  The CRL signature could  not  be
       decrypted.  This	 means	that  the  actual signature value could not be
       determined rather than it not matching the expected value. Unused.  The
       public  key  in the certificate SubjectPublicKeyInfo could not be read.
       The signature of the certificate is invalid.  The signature of the cer‐
       tificate	 is  invalid.  Unused.	 The certificate is not yet valid. The
       notBefore date is after the current time.  The certificate has expired.
       The  notAfter  date  is	before	the  current time.  The CRL is not yet
       valid. Unused.  The certificate	has  expired.  The  notAfter  date  is
       before  the  current  time.  The CRL is not yet valid. Unused.  The CRL
       has expired. Unused.   The  certificate	notBefore  field  contains  an
       invalid time.  The certificate notAfter field contains an invalid time.
       The CRL lastUpdate field contains an invalid  time.  Unused.   The  CRL
       nextUpdate  field  contains an invalid time. Unused.  An error occurred
       trying to allocate memory. This should never happen.  The  passed  cer‐
       tificate is self signed and the same certificate cannot be found in the
       list of trusted certificates.  The certificate chain could be built  up
       using  the  untrusted  certificates  but	 the  root  could not be found
       locally.	 The issuer certificate of a  locally  looked  up  certificate
       could  not  be  found. This normally means the list of trusted certifi‐
       cates is not complete.  No signatures could  be	verified  because  the
       chain  contains	only  one  certificate and it is not self signed.  The
       certificate chain length is greater than the  supplied  maximum	depth.
       Unused.	The certificate has been revoked. Unused.  A CA certificate is
       invalid. Either it is not a CA or its  extensions  are  not  consistent
       with  the  supplied purpose.  The basicConstraints pathlength parameter
       has been exceeded.  The supplied certificate cannot  be	used  for  the
       specified purpose.  The root CA is not marked as trusted for the speci‐
       fied purpose.  The root CA is marked to reject the  specified  purpose.
       The  current candidate issuer certificate was rejected because its sub‐
       ject name did not match the issuer name	of  the	 current  certificate.
       This is only displayed when the -issuer_checks option is set.  The cur‐
       rent candidate issuer certificate was rejected because its subject  key
       identifier  was	present and did not match the authority key identifier
       current certificate. This is only  displayed  when  the	-issuer_checks
       option  is  set.	 The current candidate issuer certificate was rejected
       because its issuer name and serial number was present and did not match
       the  authority  key identifier of the current certificate. This is only
       displayed when the -issuer_checks option is set.	 The current candidate
       issuer certificate was rejected because its keyUsage extension does not
       permit certificate signing.  An application specific error. Unused.

SEE ALSO
       Commands: x509(1ssl)

								  verify(1ssl)

Vote for polarhome