openssl-verification-options.pod - OpenGrok cross reference for /freebsd/crypto/openssl/doc/man1/openssl-verification-options.pod

Lines Matching refs:CA
54 all self-signed "root" CA certificates that are placed in the I<trust store>,
79 A certificate, which may be CA certificate or an end-entity certificate,
144 the list of untrusted ("intermediate" CA) certificates, if provided.
161 All other certificates down the chain are checked to be valid CA certificates,
167 (which typically is a self-signed root CA certificate).
173 For each element in the chain, including the root CA certificate,
178 (except for the signature of the typically self-signed root CA certificate,
230 Use I<uri> as a store of CA certificates.
243 Do not use the default store of trusted CA certificates.
281 The basicConstraints of CA certificates must be marked critical.
285 CA certificates must explicitly include the keyUsage extension.
293 The pathlenConstraint must not be given for non-CA certificates.
301 The subject name of CA certs, certs with keyUsage crlSign, and certs
324 The subjectKeyIdentifier must be given for all X.509v3 CA certs.
387 This certificate may be self-issued or belong to an intermediate CA.
393 This is prohibited and will result in an error if it is a non-conforming CA
477 Limit the certificate chain to I<num> intermediate CA certificates.
520 This usually happens when a root or intermediate CA signs a certificate
521 for another a CA in other organization.
522 Another reason is when a CA might have intermediates that use two different
562 The basicConstraints extension CA flag is used to determine whether the
563 certificate can be used as a CA. If the CA flag is true then it is a CA,
564 if the CA flag is false then it is not a CA. B<All> CAs should have the
565 CA flag set to true.
569 then the certificate is considered to be a "possible CA" and
571 The treatment of certificates without basicConstraints as a CA
577 made on the uses of the certificate. A CA certificate B<must> have the
590 in its section 6 does not include EKU checks for CA certificates.
591 The CA/Browser Forum requires for TLS server, S/MIME, and code signing use
592 the presence of respective EKUs in subordinate CA certificates (while excluding
593 them for root CA certificates), while taking over from RFC 5280
597 EKU extensions on CA certificates, which may change in the future.
598 It does not require the presence of EKU extensions in CA certificates,
609 CA certificates.
622 For all other certificates the normal CA checks apply. In addition,
623 the Netscape certificate type must be absent or have the SSL CA bit set.
635 For all other certificates the normal CA checks apply. In addition,
636 the Netscape certificate type must be absent or have the SSL CA bit set.
657 For all other certificates the normal CA checks apply. In addition,
658 the Netscape certificate type must be absent or have the S/MIME CA bit set.
675 For all other certifcates the normal CA checks apply.
683 For all other certifcates the normal CA checks apply.
692 For all other certifcates the normal CA checks apply.