Lines Matching full:must

115 In this case it must fully match a trust anchor, otherwise chain building fails.
159 must have extensions compatible with the specified purpose.
160 All certificates except the target or "leaf" must also be valid CA certificates.
166 It must be trusted for the given use.
279 The basicConstraints of CA certificates must be marked critical.
283 CA certificates must explicitly include the keyUsage extension.
287 If a pathlenConstraint is given the key usage keyCertSign must be allowed.
291 The pathlenConstraint must not be given for non-CA certificates.
295 The issuer name of any certificate must not be empty.
300 without subjectAlternativeName must not be empty.
304 If a subjectAlternativeName extension is given it must not be empty.
308 The signatureAlgorithm field and the cert signature must be consistent.
313 must not be marked critical.
317 The authorityKeyIdentifier must be given for X.509v3 certs unless they
322 The subjectKeyIdentifier must be given for all X.509v3 CA certs.
368 chain to validate, the public keys of all the certificates must meet the
572 made on the uses of the certificate. A CA certificate B<must> have the
590 The extended key usage extension must be absent or include the "web client
591 authentication" OID. The keyUsage extension must be absent or it must have the
592 digitalSignature bit set. The Netscape certificate type must be absent
593 or it must have the SSL client bit set.
597 The extended key usage extension must be absent or include the "web client
599 The Netscape certificate type must be absent or it must have the SSL CA bit set.
604 The extended key usage extension must be absent or include the "web server
605 authentication" and/or one of the SGC OIDs. The keyUsage extension must be
607 must have the digitalSignature, the keyEncipherment set or both bits set.
608 The Netscape certificate type must be absent or have the SSL server bit set.
612 The extended key usage extension must be absent or include the "web server
613 authentication" and/or one of the SGC OIDs. The Netscape certificate type must
614 be absent or the SSL CA bit must be set.
619 For Netscape SSL clients to connect to an SSL server it must have the
626 The extended key usage extension must be absent or include the "email
627 protection" OID. The Netscape certificate type must be absent or should have the
635 the nonRepudiation bit must be set if the keyUsage extension is present.
639 In addition to the common S/MIME tests the keyEncipherment bit must be set
644 The extended key usage extension must be absent or include the "email
645 protection" OID. The Netscape certificate type must be absent or must have the
651 The keyUsage extension must be absent or it must have the CRL signing bit
657 must be present.
665 subject name must appear in a file (as specified by the B<-CAfile> option),