xref: /freebsd/crypto/openssl/doc/man1/openssl-verification-options.pod (revision a7148ab39c03abd4d1a84997c70bf96f15dd2a09)
1b077aed3SPierre Pronchery=pod
2b077aed3SPierre Pronchery
3b077aed3SPierre Pronchery=head1 NAME
4b077aed3SPierre Pronchery
5b077aed3SPierre Proncheryopenssl-verification-options - generic X.509 certificate verification options
6b077aed3SPierre Pronchery
7b077aed3SPierre Pronchery=head1 SYNOPSIS
8b077aed3SPierre Pronchery
9b077aed3SPierre ProncheryB<openssl>
10b077aed3SPierre ProncheryI<command>
11b077aed3SPierre Pronchery[ I<options> ... ]
12b077aed3SPierre Pronchery[ I<parameters> ... ]
13b077aed3SPierre Pronchery
14b077aed3SPierre Pronchery=head1 DESCRIPTION
15b077aed3SPierre Pronchery
16b077aed3SPierre ProncheryThere are many situations where X.509 certificates are verified
17b077aed3SPierre Proncherywithin the OpenSSL libraries and in various OpenSSL commands.
18b077aed3SPierre Pronchery
19b077aed3SPierre ProncheryCertificate verification is implemented by L<X509_verify_cert(3)>.
20b077aed3SPierre ProncheryIt is a complicated process consisting of a number of steps
21b077aed3SPierre Proncheryand depending on numerous options.
22b077aed3SPierre ProncheryThe most important of them are detailed in the following sections.
23b077aed3SPierre Pronchery
24b077aed3SPierre ProncheryIn a nutshell, a valid chain of certificates needs to be built up and verified
25b077aed3SPierre Proncherystarting from the I<target certificate> that is to be verified
26b077aed3SPierre Proncheryand ending in a certificate that due to some policy is trusted.
27b077aed3SPierre ProncheryVerification is done relative to the given I<purpose>, which is the intended use
28b077aed3SPierre Proncheryof the target certificate, such as SSL server, or by default for any purpose.
29b077aed3SPierre Pronchery
30b077aed3SPierre ProncheryThe details of how each OpenSSL command handles errors
31b077aed3SPierre Proncheryare documented on the specific command page.
32b077aed3SPierre Pronchery
33b077aed3SPierre ProncheryDANE support is documented in L<openssl-s_client(1)>,
34b077aed3SPierre ProncheryL<SSL_CTX_dane_enable(3)>, L<SSL_set1_host(3)>,
35b077aed3SPierre ProncheryL<X509_VERIFY_PARAM_set_flags(3)>, and L<X509_check_host(3)>.
36b077aed3SPierre Pronchery
37b077aed3SPierre Pronchery=head2 Trust Anchors
38b077aed3SPierre Pronchery
39b077aed3SPierre ProncheryIn general, according to RFC 4158 and RFC 5280, a I<trust anchor> is
40b077aed3SPierre Proncheryany public key and related subject distinguished name (DN) that
41b077aed3SPierre Proncheryfor some reason is considered trusted
42b077aed3SPierre Proncheryand thus is acceptable as the root of a chain of certificates.
43b077aed3SPierre Pronchery
44b077aed3SPierre ProncheryIn practice, trust anchors are given in the form of certificates,
45b077aed3SPierre Proncherywhere their essential fields are the public key and the subject DN.
46b077aed3SPierre ProncheryIn addition to the requirements in RFC 5280,
47b077aed3SPierre ProncheryOpenSSL checks the validity period of such certificates
48b077aed3SPierre Proncheryand makes use of some further fields.
49b077aed3SPierre ProncheryIn particular, the subject key identifier extension, if present,
50b077aed3SPierre Proncheryis used for matching trust anchors during chain building.
51b077aed3SPierre Pronchery
52b077aed3SPierre ProncheryIn the most simple and common case, trust anchors are by default
53b077aed3SPierre Proncheryall self-signed "root" CA certificates that are placed in the I<trust store>,
54b077aed3SPierre Proncherywhich is a collection of certificates that are trusted for certain uses.
55b077aed3SPierre ProncheryThis is akin to what is used in the trust stores of Mozilla Firefox,
56b077aed3SPierre Proncheryor Apple's and Microsoft's certificate stores, ...
57b077aed3SPierre Pronchery
58b077aed3SPierre ProncheryFrom the OpenSSL perspective, a trust anchor is a certificate
59b077aed3SPierre Proncherythat should be augmented with an explicit designation for which
60b077aed3SPierre Proncheryuses of a target certificate the certificate may serve as a trust anchor.
61b077aed3SPierre ProncheryIn PEM encoding, this is indicated by the C<TRUSTED CERTIFICATE> string.
62b077aed3SPierre ProncherySuch a designation provides a set of positive trust attributes
63b077aed3SPierre Proncheryexplicitly stating trust for the listed purposes
64b077aed3SPierre Proncheryand/or a set of negative trust attributes
65b077aed3SPierre Proncheryexplicitly rejecting the use for the listed purposes.
66b077aed3SPierre ProncheryThe purposes are encoded using the values defined for the extended key usages
67b077aed3SPierre Pronchery(EKUs) that may be given in X.509 extensions of end-entity certificates.
68b077aed3SPierre ProncherySee also the L</Extended Key Usage> section below.
69b077aed3SPierre Pronchery
70b077aed3SPierre ProncheryThe currently recognized uses are
71b077aed3SPierre ProncheryB<clientAuth> (SSL client use), B<serverAuth> (SSL server use),
72b077aed3SPierre ProncheryB<emailProtection> (S/MIME email use), B<codeSigning> (object signer use),
73b077aed3SPierre ProncheryB<OCSPSigning> (OCSP responder use), B<OCSP> (OCSP request use),
74b077aed3SPierre ProncheryB<timeStamping> (TSA server use), and B<anyExtendedKeyUsage>.
75b077aed3SPierre ProncheryAs of OpenSSL 1.1.0, the last of these blocks all uses when rejected or
76b077aed3SPierre Proncheryenables all uses when trusted.
77b077aed3SPierre Pronchery
78b077aed3SPierre ProncheryA certificate, which may be CA certificate or an end-entity certificate,
79b077aed3SPierre Proncheryis considered a trust anchor for the given use
80b077aed3SPierre Proncheryif and only if all the following conditions hold:
81b077aed3SPierre Pronchery
82b077aed3SPierre Pronchery=over 4
83b077aed3SPierre Pronchery
84b077aed3SPierre Pronchery=item *
85b077aed3SPierre Pronchery
86b077aed3SPierre ProncheryIt is an an element of the trust store.
87b077aed3SPierre Pronchery
88b077aed3SPierre Pronchery=item *
89b077aed3SPierre Pronchery
90b077aed3SPierre ProncheryIt does not have a negative trust attribute rejecting the given use.
91b077aed3SPierre Pronchery
92b077aed3SPierre Pronchery=item *
93b077aed3SPierre Pronchery
94b077aed3SPierre ProncheryIt has a positive trust attribute accepting the given use
95aa795734SPierre Proncheryor (by default) one of the following compatibility conditions apply:
96b077aed3SPierre ProncheryIt is self-signed or the B<-partial_chain> option is given
97b077aed3SPierre Pronchery(which corresponds to the B<X509_V_FLAG_PARTIAL_CHAIN> flag being set).
98b077aed3SPierre Pronchery
99b077aed3SPierre Pronchery=back
100b077aed3SPierre Pronchery
101b077aed3SPierre Pronchery=head2 Certification Path Building
102b077aed3SPierre Pronchery
103b077aed3SPierre ProncheryFirst, a certificate chain is built up starting from the target certificate
104b077aed3SPierre Proncheryand ending in a trust anchor.
105b077aed3SPierre Pronchery
106b077aed3SPierre ProncheryThe chain is built up iteratively, looking up in turn
107b077aed3SPierre Proncherya certificate with suitable key usage that
108b077aed3SPierre Proncherymatches as an issuer of the current "subject" certificate as described below.
109b077aed3SPierre ProncheryIf there is such a certificate, the first one found that is currently valid
110b077aed3SPierre Proncheryis taken, otherwise the one that expired most recently of all such certificates.
111b077aed3SPierre ProncheryFor efficiency, no backtracking is performed, thus
112b077aed3SPierre Proncheryany further candidate issuer certificates that would match equally are ignored.
113b077aed3SPierre Pronchery
114b077aed3SPierre ProncheryWhen a self-signed certificate has been added, chain construction stops.
115b077aed3SPierre ProncheryIn this case it must fully match a trust anchor, otherwise chain building fails.
116b077aed3SPierre Pronchery
117b077aed3SPierre ProncheryA candidate issuer certificate matches a subject certificate
118b077aed3SPierre Proncheryif all of the following conditions hold:
119b077aed3SPierre Pronchery
120b077aed3SPierre Pronchery=over 4
121b077aed3SPierre Pronchery
122b077aed3SPierre Pronchery=item *
123b077aed3SPierre Pronchery
124b077aed3SPierre ProncheryIts subject name matches the issuer name of the subject certificate.
125b077aed3SPierre Pronchery
126b077aed3SPierre Pronchery=item *
127b077aed3SPierre Pronchery
128b077aed3SPierre ProncheryIf the subject certificate has an authority key identifier extension,
129b077aed3SPierre Proncheryeach of its sub-fields equals the corresponding subject key identifier, serial
130b077aed3SPierre Proncherynumber, and issuer field of the candidate issuer certificate,
131b077aed3SPierre Proncheryas far as the respective fields are present in both certificates.
132b077aed3SPierre Pronchery
133b077aed3SPierre Pronchery=item *
134b077aed3SPierre Pronchery
135b077aed3SPierre ProncheryThe certificate signature algorithm used to sign the subject certificate
136b077aed3SPierre Proncheryis supported and
137b077aed3SPierre Proncheryequals the public key algorithm of the candidate issuer certificate.
138b077aed3SPierre Pronchery
139b077aed3SPierre Pronchery=back
140b077aed3SPierre Pronchery
141b077aed3SPierre ProncheryThe lookup first searches for issuer certificates in the trust store.
142b077aed3SPierre ProncheryIf it does not find a match there it consults
143b077aed3SPierre Proncherythe list of untrusted ("intermediate" CA) certificates, if provided.
144b077aed3SPierre Pronchery
145b077aed3SPierre Pronchery=head2 Certification Path Validation
146b077aed3SPierre Pronchery
147b077aed3SPierre ProncheryWhen the certificate chain building process was successful
148b077aed3SPierre Proncherythe chain components and their links are checked thoroughly.
149b077aed3SPierre Pronchery
150b077aed3SPierre ProncheryThe first step is to check that each certificate is well-formed.
151b077aed3SPierre ProncheryPart of these checks are enabled only if the B<-x509_strict> option is given.
152b077aed3SPierre Pronchery
153b077aed3SPierre ProncheryThe second step is to check the extensions of every untrusted certificate
154b077aed3SPierre Proncheryfor consistency with the supplied purpose.
155b077aed3SPierre ProncheryIf the B<-purpose> option is not given then no such checks are done
156b077aed3SPierre Proncheryexcept for SSL/TLS connection setup,
157b077aed3SPierre Proncherywhere by default C<sslserver> or C<sslclient>, are checked.
158b077aed3SPierre ProncheryThe target or "leaf" certificate, as well as any other untrusted certificates,
159b077aed3SPierre Proncherymust have extensions compatible with the specified purpose.
160b077aed3SPierre ProncheryAll certificates except the target or "leaf" must also be valid CA certificates.
161b077aed3SPierre ProncheryThe precise extensions required are described in more detail in
162b077aed3SPierre ProncheryL<openssl-x509(1)/CERTIFICATE EXTENSIONS>.
163b077aed3SPierre Pronchery
164b077aed3SPierre ProncheryThe third step is to check the trust settings on the last certificate
165b077aed3SPierre Pronchery(which typically is a self-signed root CA certificate).
166b077aed3SPierre ProncheryIt must be trusted for the given use.
167b077aed3SPierre ProncheryFor compatibility with previous versions of OpenSSL, a self-signed certificate
168b077aed3SPierre Proncherywith no trust attributes is considered to be valid for all uses.
169b077aed3SPierre Pronchery
170b077aed3SPierre ProncheryThe fourth, and final, step is to check the validity of the certificate chain.
171b077aed3SPierre ProncheryFor each element in the chain, including the root CA certificate,
172b077aed3SPierre Proncherythe validity period as specified by the C<notBefore> and C<notAfter> fields
173b077aed3SPierre Proncheryis checked against the current system time.
174b077aed3SPierre ProncheryThe B<-attime> flag may be used to use a reference time other than "now."
175b077aed3SPierre ProncheryThe certificate signature is checked as well
176b077aed3SPierre Pronchery(except for the signature of the typically self-signed root CA certificate,
177b077aed3SPierre Proncherywhich is verified only if the B<-check_ss_sig> option is given).
178b077aed3SPierre ProncheryWhen verifying a certificate signature
179b077aed3SPierre Proncherythe keyUsage extension (if present) of the candidate issuer certificate
180b077aed3SPierre Proncheryis checked to permit digitalSignature for signing proxy certificates
181b077aed3SPierre Proncheryor to permit keyCertSign for signing other certificates, respectively.
182b077aed3SPierre ProncheryIf all operations complete successfully then certificate is considered
183b077aed3SPierre Proncheryvalid. If any operation fails then the certificate is not valid.
184b077aed3SPierre Pronchery
185b077aed3SPierre Pronchery=head1 OPTIONS
186b077aed3SPierre Pronchery
187b077aed3SPierre Pronchery=head2 Trusted Certificate Options
188b077aed3SPierre Pronchery
189b077aed3SPierre ProncheryThe following options specify how to supply the certificates
190b077aed3SPierre Proncherythat can be used as trust anchors for certain uses.
191b077aed3SPierre ProncheryAs mentioned, a collection of such certificates is called a I<trust store>.
192b077aed3SPierre Pronchery
193b077aed3SPierre ProncheryNote that OpenSSL does not provide a default set of trust anchors.  Many
194b077aed3SPierre ProncheryLinux distributions include a system default and configure OpenSSL to point
195b077aed3SPierre Proncheryto that.  Mozilla maintains an influential trust store that can be found at
196b077aed3SPierre ProncheryL<https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/>.
197b077aed3SPierre Pronchery
198b077aed3SPierre ProncheryThe certificates to add to the trust store
199b077aed3SPierre Proncherycan be specified using following options.
200b077aed3SPierre Pronchery
201b077aed3SPierre Pronchery=over 4
202b077aed3SPierre Pronchery
203b077aed3SPierre Pronchery=item B<-CAfile> I<file>
204b077aed3SPierre Pronchery
205b077aed3SPierre ProncheryLoad the specified file which contains a certificate
206b077aed3SPierre Proncheryor several of them in case the input is in PEM or PKCS#12 format.
207b077aed3SPierre ProncheryPEM-encoded certificates may also have trust attributes set.
208b077aed3SPierre Pronchery
209b077aed3SPierre Pronchery=item B<-no-CAfile>
210b077aed3SPierre Pronchery
211b077aed3SPierre ProncheryDo not load the default file of trusted certificates.
212b077aed3SPierre Pronchery
213b077aed3SPierre Pronchery=item B<-CApath> I<dir>
214b077aed3SPierre Pronchery
215b077aed3SPierre ProncheryUse the specified directory as a collection of trusted certificates,
216b077aed3SPierre Proncheryi.e., a trust store.
217b077aed3SPierre ProncheryFiles should be named with the hash value of the X.509 SubjectName of each
218b077aed3SPierre Proncherycertificate. This is so that the library can extract the IssuerName,
219b077aed3SPierre Proncheryhash it, and directly lookup the file to get the issuer certificate.
220b077aed3SPierre ProncherySee L<openssl-rehash(1)> for information on creating this type of directory.
221b077aed3SPierre Pronchery
222b077aed3SPierre Pronchery=item B<-no-CApath>
223b077aed3SPierre Pronchery
224b077aed3SPierre ProncheryDo not use the default directory of trusted certificates.
225b077aed3SPierre Pronchery
226b077aed3SPierre Pronchery=item B<-CAstore> I<uri>
227b077aed3SPierre Pronchery
228b077aed3SPierre ProncheryUse I<uri> as a store of CA certificates.
229b077aed3SPierre ProncheryThe URI may indicate a single certificate, as well as a collection of them.
230b077aed3SPierre ProncheryWith URIs in the C<file:> scheme, this acts as B<-CAfile> or
231b077aed3SPierre ProncheryB<-CApath>, depending on if the URI indicates a single file or
232b077aed3SPierre Proncherydirectory.
233b077aed3SPierre ProncherySee L<ossl_store-file(7)> for more information on the C<file:> scheme.
234b077aed3SPierre Pronchery
235b077aed3SPierre ProncheryThese certificates are also used when building the server certificate
236b077aed3SPierre Proncherychain (for example with L<openssl-s_server(1)>) or client certificate
237b077aed3SPierre Proncherychain (for example with L<openssl-s_time(1)>).
238b077aed3SPierre Pronchery
239b077aed3SPierre Pronchery=item B<-no-CAstore>
240b077aed3SPierre Pronchery
241b077aed3SPierre ProncheryDo not use the default store of trusted CA certificates.
242b077aed3SPierre Pronchery
243b077aed3SPierre Pronchery=back
244b077aed3SPierre Pronchery
245b077aed3SPierre Pronchery=head2 Verification Options
246b077aed3SPierre Pronchery
247b077aed3SPierre ProncheryThe certificate verification can be fine-tuned with the following flags.
248b077aed3SPierre Pronchery
249b077aed3SPierre Pronchery=over 4
250b077aed3SPierre Pronchery
251b077aed3SPierre Pronchery=item B<-verbose>
252b077aed3SPierre Pronchery
253b077aed3SPierre ProncheryPrint extra information about the operations being performed.
254b077aed3SPierre Pronchery
255b077aed3SPierre Pronchery=item B<-attime> I<timestamp>
256b077aed3SPierre Pronchery
257b077aed3SPierre ProncheryPerform validation checks using time specified by I<timestamp> and not
258b077aed3SPierre Proncherycurrent system time. I<timestamp> is the number of seconds since
259b077aed3SPierre ProncheryJanuary 1, 1970 (i.e., the Unix Epoch).
260b077aed3SPierre Pronchery
261b077aed3SPierre Pronchery=item B<-no_check_time>
262b077aed3SPierre Pronchery
263b077aed3SPierre ProncheryThis option suppresses checking the validity period of certificates and CRLs
264b077aed3SPierre Proncheryagainst the current time. If option B<-attime> is used to specify
265b077aed3SPierre Proncherya verification time, the check is not suppressed.
266b077aed3SPierre Pronchery
267b077aed3SPierre Pronchery=item B<-x509_strict>
268b077aed3SPierre Pronchery
269b077aed3SPierre ProncheryThis disables non-compliant workarounds for broken certificates.
270b077aed3SPierre ProncheryThus errors are thrown on certificates not compliant with RFC 5280.
271b077aed3SPierre Pronchery
272b077aed3SPierre ProncheryWhen this option is set,
273b077aed3SPierre Proncheryamong others, the following certificate well-formedness conditions are checked:
274b077aed3SPierre Pronchery
275b077aed3SPierre Pronchery=over 4
276b077aed3SPierre Pronchery
277b077aed3SPierre Pronchery=item *
278b077aed3SPierre Pronchery
279b077aed3SPierre ProncheryThe basicConstraints of CA certificates must be marked critical.
280b077aed3SPierre Pronchery
281b077aed3SPierre Pronchery=item *
282b077aed3SPierre Pronchery
283b077aed3SPierre ProncheryCA certificates must explicitly include the keyUsage extension.
284b077aed3SPierre Pronchery
285b077aed3SPierre Pronchery=item *
286b077aed3SPierre Pronchery
287b077aed3SPierre ProncheryIf a pathlenConstraint is given the key usage keyCertSign must be allowed.
288b077aed3SPierre Pronchery
289b077aed3SPierre Pronchery=item *
290b077aed3SPierre Pronchery
291b077aed3SPierre ProncheryThe pathlenConstraint must not be given for non-CA certificates.
292b077aed3SPierre Pronchery
293b077aed3SPierre Pronchery=item *
294b077aed3SPierre Pronchery
295b077aed3SPierre ProncheryThe issuer name of any certificate must not be empty.
296b077aed3SPierre Pronchery
297b077aed3SPierre Pronchery=item *
298b077aed3SPierre Pronchery
299b077aed3SPierre ProncheryThe subject name of CA certs, certs with keyUsage crlSign, and certs
300b077aed3SPierre Proncherywithout subjectAlternativeName must not be empty.
301b077aed3SPierre Pronchery
302b077aed3SPierre Pronchery=item *
303b077aed3SPierre Pronchery
304b077aed3SPierre ProncheryIf a subjectAlternativeName extension is given it must not be empty.
305b077aed3SPierre Pronchery
306b077aed3SPierre Pronchery=item *
307b077aed3SPierre Pronchery
308b077aed3SPierre ProncheryThe signatureAlgorithm field and the cert signature must be consistent.
309b077aed3SPierre Pronchery
310b077aed3SPierre Pronchery=item *
311b077aed3SPierre Pronchery
312b077aed3SPierre ProncheryAny given authorityKeyIdentifier and any given subjectKeyIdentifier
313b077aed3SPierre Proncherymust not be marked critical.
314b077aed3SPierre Pronchery
315b077aed3SPierre Pronchery=item *
316b077aed3SPierre Pronchery
317b077aed3SPierre ProncheryThe authorityKeyIdentifier must be given for X.509v3 certs unless they
318b077aed3SPierre Proncheryare self-signed.
319b077aed3SPierre Pronchery
320b077aed3SPierre Pronchery=item *
321b077aed3SPierre Pronchery
322b077aed3SPierre ProncheryThe subjectKeyIdentifier must be given for all X.509v3 CA certs.
323b077aed3SPierre Pronchery
324b077aed3SPierre Pronchery=back
325b077aed3SPierre Pronchery
326b077aed3SPierre Pronchery=item B<-ignore_critical>
327b077aed3SPierre Pronchery
328b077aed3SPierre ProncheryNormally if an unhandled critical extension is present that is not
329b077aed3SPierre Proncherysupported by OpenSSL the certificate is rejected (as required by RFC5280).
330b077aed3SPierre ProncheryIf this option is set critical extensions are ignored.
331b077aed3SPierre Pronchery
332b077aed3SPierre Pronchery=item B<-issuer_checks>
333b077aed3SPierre Pronchery
334b077aed3SPierre ProncheryIgnored.
335b077aed3SPierre Pronchery
336b077aed3SPierre Pronchery=item B<-crl_check>
337b077aed3SPierre Pronchery
338b077aed3SPierre ProncheryChecks end entity certificate validity by attempting to look up a valid CRL.
339b077aed3SPierre ProncheryIf a valid CRL cannot be found an error occurs.
340b077aed3SPierre Pronchery
341b077aed3SPierre Pronchery=item B<-crl_check_all>
342b077aed3SPierre Pronchery
343b077aed3SPierre ProncheryChecks the validity of B<all> certificates in the chain by attempting
344b077aed3SPierre Proncheryto look up valid CRLs.
345b077aed3SPierre Pronchery
346b077aed3SPierre Pronchery=item B<-use_deltas>
347b077aed3SPierre Pronchery
348b077aed3SPierre ProncheryEnable support for delta CRLs.
349b077aed3SPierre Pronchery
350b077aed3SPierre Pronchery=item B<-extended_crl>
351b077aed3SPierre Pronchery
352b077aed3SPierre ProncheryEnable extended CRL features such as indirect CRLs and alternate CRL
353b077aed3SPierre Proncherysigning keys.
354b077aed3SPierre Pronchery
355b077aed3SPierre Pronchery=item B<-suiteB_128_only>, B<-suiteB_128>, B<-suiteB_192>
356b077aed3SPierre Pronchery
357b077aed3SPierre ProncheryEnable the Suite B mode operation at 128 bit Level of Security, 128 bit or
358b077aed3SPierre Pronchery192 bit, or only 192 bit Level of Security respectively.
359b077aed3SPierre ProncherySee RFC6460 for details. In particular the supported signature algorithms are
360b077aed3SPierre Proncheryreduced to support only ECDSA and SHA256 or SHA384 and only the elliptic curves
361b077aed3SPierre ProncheryP-256 and P-384.
362b077aed3SPierre Pronchery
363b077aed3SPierre Pronchery=item B<-auth_level> I<level>
364b077aed3SPierre Pronchery
365b077aed3SPierre ProncherySet the certificate chain authentication security level to I<level>.
366b077aed3SPierre ProncheryThe authentication security level determines the acceptable signature and
367b077aed3SPierre Proncherypublic key strength when verifying certificate chains.  For a certificate
368b077aed3SPierre Proncherychain to validate, the public keys of all the certificates must meet the
369b077aed3SPierre Proncheryspecified security I<level>.  The signature algorithm security level is
370b077aed3SPierre Proncheryenforced for all the certificates in the chain except for the chain's
371b077aed3SPierre ProncheryI<trust anchor>, which is either directly trusted or validated by means
372b077aed3SPierre Proncheryother than its signature.  See L<SSL_CTX_set_security_level(3)> for the
373b077aed3SPierre Proncherydefinitions of the available levels.  The default security level is -1,
374b077aed3SPierre Proncheryor "not set".  At security level 0 or lower all algorithms are acceptable.
375b077aed3SPierre ProncherySecurity level 1 requires at least 80-bit-equivalent security and is broadly
376b077aed3SPierre Proncheryinteroperable, though it will, for example, reject MD5 signatures or RSA
377b077aed3SPierre Proncherykeys shorter than 1024 bits.
378b077aed3SPierre Pronchery
379b077aed3SPierre Pronchery=item B<-partial_chain>
380b077aed3SPierre Pronchery
381b077aed3SPierre ProncheryAllow verification to succeed if an incomplete chain can be built.
382b077aed3SPierre ProncheryThat is, a chain ending in a certificate that normally would not be trusted
383b077aed3SPierre Pronchery(because it has no matching positive trust attributes and is not self-signed)
384b077aed3SPierre Proncherybut is an element of the trust store.
385b077aed3SPierre ProncheryThis certificate may be self-issued or belong to an intermediate CA.
386b077aed3SPierre Pronchery
387b077aed3SPierre Pronchery=item B<-check_ss_sig>
388b077aed3SPierre Pronchery
389b077aed3SPierre ProncheryVerify the signature of
390b077aed3SPierre Proncherythe last certificate in a chain if the certificate is supposedly self-signed.
391b077aed3SPierre ProncheryThis is prohibited and will result in an error if it is a non-conforming CA
392b077aed3SPierre Proncherycertificate with key usage restrictions not including the keyCertSign bit.
393b077aed3SPierre ProncheryThis verification is disabled by default because it doesn't add any security.
394b077aed3SPierre Pronchery
395b077aed3SPierre Pronchery=item B<-allow_proxy_certs>
396b077aed3SPierre Pronchery
397b077aed3SPierre ProncheryAllow the verification of proxy certificates.
398b077aed3SPierre Pronchery
399b077aed3SPierre Pronchery=item B<-trusted_first>
400b077aed3SPierre Pronchery
401b077aed3SPierre ProncheryAs of OpenSSL 1.1.0 this option is on by default and cannot be disabled.
402b077aed3SPierre Pronchery
403b077aed3SPierre ProncheryWhen constructing the certificate chain, the trusted certificates specified
404b077aed3SPierre Proncheryvia B<-CAfile>, B<-CApath>, B<-CAstore> or B<-trusted> are always used
405b077aed3SPierre Proncherybefore any certificates specified via B<-untrusted>.
406b077aed3SPierre Pronchery
407b077aed3SPierre Pronchery=item B<-no_alt_chains>
408b077aed3SPierre Pronchery
409b077aed3SPierre ProncheryAs of OpenSSL 1.1.0, since B<-trusted_first> always on, this option has no
410b077aed3SPierre Proncheryeffect.
411b077aed3SPierre Pronchery
412b077aed3SPierre Pronchery=item B<-trusted> I<file>
413b077aed3SPierre Pronchery
414b077aed3SPierre ProncheryParse I<file> as a set of one or more certificates.
415b077aed3SPierre ProncheryEach of them qualifies as trusted if has a suitable positive trust attribute
416b077aed3SPierre Proncheryor it is self-signed or the B<-partial_chain> option is specified.
417b077aed3SPierre ProncheryThis option implies the B<-no-CAfile>, B<-no-CApath>, and B<-no-CAstore> options
418b077aed3SPierre Proncheryand it cannot be used with the B<-CAfile>, B<-CApath> or B<-CAstore> options, so
419b077aed3SPierre Proncheryonly certificates specified using the B<-trusted> option are trust anchors.
420b077aed3SPierre ProncheryThis option may be used multiple times.
421b077aed3SPierre Pronchery
422b077aed3SPierre Pronchery=item B<-untrusted> I<file>
423b077aed3SPierre Pronchery
424b077aed3SPierre ProncheryParse I<file> as a set of one or more certificates.
425b077aed3SPierre ProncheryAll certificates (typically of intermediate CAs) are considered untrusted
426b077aed3SPierre Proncheryand may be used to
427b077aed3SPierre Proncheryconstruct a certificate chain from the target certificate to a trust anchor.
428b077aed3SPierre ProncheryThis option may be used multiple times.
429b077aed3SPierre Pronchery
430b077aed3SPierre Pronchery=item B<-policy> I<arg>
431b077aed3SPierre Pronchery
432b077aed3SPierre ProncheryEnable policy processing and add I<arg> to the user-initial-policy-set (see
433*a7148ab3SEnji CooperRFC5280). The policy I<arg> can be an object name or an OID in numeric form.
434b077aed3SPierre ProncheryThis argument can appear more than once.
435b077aed3SPierre Pronchery
436b077aed3SPierre Pronchery=item B<-explicit_policy>
437b077aed3SPierre Pronchery
438b077aed3SPierre ProncherySet policy variable require-explicit-policy (see RFC5280).
439b077aed3SPierre Pronchery
440b077aed3SPierre Pronchery=item B<-policy_check>
441b077aed3SPierre Pronchery
442b077aed3SPierre ProncheryEnables certificate policy processing.
443b077aed3SPierre Pronchery
444b077aed3SPierre Pronchery=item B<-policy_print>
445b077aed3SPierre Pronchery
446b077aed3SPierre ProncheryPrint out diagnostics related to policy processing.
447b077aed3SPierre Pronchery
448b077aed3SPierre Pronchery=item B<-inhibit_any>
449b077aed3SPierre Pronchery
450b077aed3SPierre ProncherySet policy variable inhibit-any-policy (see RFC5280).
451b077aed3SPierre Pronchery
452b077aed3SPierre Pronchery=item B<-inhibit_map>
453b077aed3SPierre Pronchery
454b077aed3SPierre ProncherySet policy variable inhibit-policy-mapping (see RFC5280).
455b077aed3SPierre Pronchery
456b077aed3SPierre Pronchery=item B<-purpose> I<purpose>
457b077aed3SPierre Pronchery
458b077aed3SPierre ProncheryThe intended use for the certificate.
459b077aed3SPierre ProncheryCurrently defined purposes are C<sslclient>, C<sslserver>, C<nssslserver>,
460b077aed3SPierre ProncheryC<smimesign>, C<smimeencrypt>, C<crlsign>, C<ocsphelper>, C<timestampsign>,
461b077aed3SPierre Proncheryand C<any>.
462b077aed3SPierre ProncheryIf peer certificate verification is enabled, by default the TLS implementation
463b077aed3SPierre Proncheryas well as the commands B<s_client> and B<s_server> check for consistency
464b077aed3SPierre Proncherywith TLS server or TLS client use, respectively.
465b077aed3SPierre Pronchery
466b077aed3SPierre ProncheryWhile IETF RFC 5280 says that B<id-kp-serverAuth> and B<id-kp-clientAuth>
467b077aed3SPierre Proncheryare only for WWW use, in practice they are used for all kinds of TLS clients
468b077aed3SPierre Proncheryand servers, and this is what OpenSSL assumes as well.
469b077aed3SPierre Pronchery
470b077aed3SPierre Pronchery=item B<-verify_depth> I<num>
471b077aed3SPierre Pronchery
472b077aed3SPierre ProncheryLimit the certificate chain to I<num> intermediate CA certificates.
473b077aed3SPierre ProncheryA maximal depth chain can have up to I<num>+2 certificates, since neither the
474b077aed3SPierre Proncheryend-entity certificate nor the trust-anchor certificate count against the
475b077aed3SPierre ProncheryB<-verify_depth> limit.
476b077aed3SPierre Pronchery
477b077aed3SPierre Pronchery=item B<-verify_email> I<email>
478b077aed3SPierre Pronchery
479b077aed3SPierre ProncheryVerify if I<email> matches the email address in Subject Alternative Name or
480b077aed3SPierre Proncherythe email in the subject Distinguished Name.
481b077aed3SPierre Pronchery
482b077aed3SPierre Pronchery=item B<-verify_hostname> I<hostname>
483b077aed3SPierre Pronchery
484b077aed3SPierre ProncheryVerify if I<hostname> matches DNS name in Subject Alternative Name or
485b077aed3SPierre ProncheryCommon Name in the subject certificate.
486b077aed3SPierre Pronchery
487b077aed3SPierre Pronchery=item B<-verify_ip> I<ip>
488b077aed3SPierre Pronchery
489b077aed3SPierre ProncheryVerify if I<ip> matches the IP address in Subject Alternative Name of
490b077aed3SPierre Proncherythe subject certificate.
491b077aed3SPierre Pronchery
492b077aed3SPierre Pronchery=item B<-verify_name> I<name>
493b077aed3SPierre Pronchery
494b077aed3SPierre ProncheryUse default verification policies like trust model and required certificate
495b077aed3SPierre Proncherypolicies identified by I<name>.
496b077aed3SPierre ProncheryThe trust model determines which auxiliary trust or reject OIDs are applicable
497b077aed3SPierre Proncheryto verifying the given certificate chain.
498b077aed3SPierre ProncheryThey can be given using the B<-addtrust> and B<-addreject> options
499b077aed3SPierre Proncheryfor L<openssl-x509(1)>.
500b077aed3SPierre ProncherySupported policy names include: B<default>, B<pkcs7>, B<smime_sign>,
501b077aed3SPierre ProncheryB<ssl_client>, B<ssl_server>.
502b077aed3SPierre ProncheryThese mimics the combinations of purpose and trust settings used in SSL, CMS
503b077aed3SPierre Proncheryand S/MIME.
504b077aed3SPierre ProncheryAs of OpenSSL 1.1.0, the trust model is inferred from the purpose when not
505b077aed3SPierre Proncheryspecified, so the B<-verify_name> options are functionally equivalent to the
506b077aed3SPierre Proncherycorresponding B<-purpose> settings.
507b077aed3SPierre Pronchery
508b077aed3SPierre Pronchery=back
509b077aed3SPierre Pronchery
510b077aed3SPierre Pronchery=head2 Extended Verification Options
511b077aed3SPierre Pronchery
512b077aed3SPierre ProncherySometimes there may be more than one certificate chain leading to an
513b077aed3SPierre Proncheryend-entity certificate.
514b077aed3SPierre ProncheryThis usually happens when a root or intermediate CA signs a certificate
515b077aed3SPierre Proncheryfor another a CA in other organization.
516b077aed3SPierre ProncheryAnother reason is when a CA might have intermediates that use two different
517b077aed3SPierre Proncherysignature formats, such as a SHA-1 and a SHA-256 digest.
518b077aed3SPierre Pronchery
519b077aed3SPierre ProncheryThe following options can be used to provide data that will allow the
520b077aed3SPierre ProncheryOpenSSL command to generate an alternative chain.
521b077aed3SPierre Pronchery
522b077aed3SPierre Pronchery=over 4
523b077aed3SPierre Pronchery
524b077aed3SPierre Pronchery=item B<-xkey> I<infile>, B<-xcert> I<infile>, B<-xchain>
525b077aed3SPierre Pronchery
526b077aed3SPierre ProncherySpecify an extra certificate, private key and certificate chain. These behave
527b077aed3SPierre Proncheryin the same manner as the B<-cert>, B<-key> and B<-cert_chain> options.  When
528b077aed3SPierre Proncheryspecified, the callback returning the first valid chain will be in use by the
529b077aed3SPierre Proncheryclient.
530b077aed3SPierre Pronchery
531b077aed3SPierre Pronchery=item B<-xchain_build>
532b077aed3SPierre Pronchery
533b077aed3SPierre ProncherySpecify whether the application should build the certificate chain to be
534b077aed3SPierre Proncheryprovided to the server for the extra certificates via the B<-xkey>,
535b077aed3SPierre ProncheryB<-xcert>, and B<-xchain> options.
536b077aed3SPierre Pronchery
537b077aed3SPierre Pronchery=item B<-xcertform> B<DER>|B<PEM>|B<P12>
538b077aed3SPierre Pronchery
539b077aed3SPierre ProncheryThe input format for the extra certificate.
540b077aed3SPierre ProncheryThis option has no effect and is retained for backward compatibility only.
541b077aed3SPierre Pronchery
542b077aed3SPierre Pronchery=item B<-xkeyform> B<DER>|B<PEM>|B<P12>
543b077aed3SPierre Pronchery
544b077aed3SPierre ProncheryThe input format for the extra key.
545b077aed3SPierre ProncheryThis option has no effect and is retained for backward compatibility only.
546b077aed3SPierre Pronchery
547b077aed3SPierre Pronchery=back
548b077aed3SPierre Pronchery
549b077aed3SPierre Pronchery=head2 Certificate Extensions
550b077aed3SPierre Pronchery
551b077aed3SPierre ProncheryOptions like B<-purpose> lead to checking the certificate extensions,
552b077aed3SPierre Proncherywhich determine what the target certificate and intermediate CA certificates
553b077aed3SPierre Proncherycan be used for.
554b077aed3SPierre Pronchery
555b077aed3SPierre Pronchery=head3 Basic Constraints
556b077aed3SPierre Pronchery
557b077aed3SPierre ProncheryThe basicConstraints extension CA flag is used to determine whether the
558b077aed3SPierre Proncherycertificate can be used as a CA. If the CA flag is true then it is a CA,
559b077aed3SPierre Proncheryif the CA flag is false then it is not a CA. B<All> CAs should have the
560b077aed3SPierre ProncheryCA flag set to true.
561b077aed3SPierre Pronchery
562b077aed3SPierre ProncheryIf the basicConstraints extension is absent,
563b077aed3SPierre Proncherywhich includes the case that it is an X.509v1 certificate,
564b077aed3SPierre Proncherythen the certificate is considered to be a "possible CA" and
565b077aed3SPierre Proncheryother extensions are checked according to the intended use of the certificate.
566b077aed3SPierre ProncheryThe treatment of certificates without basicConstraints as a CA
567b077aed3SPierre Proncheryis presently supported, but this could change in the future.
568b077aed3SPierre Pronchery
569b077aed3SPierre Pronchery=head3 Key Usage
570b077aed3SPierre Pronchery
571b077aed3SPierre ProncheryIf the keyUsage extension is present then additional restraints are
572b077aed3SPierre Proncherymade on the uses of the certificate. A CA certificate B<must> have the
573b077aed3SPierre ProncherykeyCertSign bit set if the keyUsage extension is present.
574b077aed3SPierre Pronchery
575b077aed3SPierre Pronchery=head3 Extended Key Usage
576b077aed3SPierre Pronchery
577b077aed3SPierre ProncheryThe extKeyUsage (EKU) extension places additional restrictions on the
578b077aed3SPierre Proncherycertificate uses. If this extension is present (whether critical or not)
579b077aed3SPierre Proncherythe key can only be used for the purposes specified.
580b077aed3SPierre Pronchery
581b077aed3SPierre ProncheryA complete description of each check is given below. The comments about
582b077aed3SPierre ProncherybasicConstraints and keyUsage and X.509v1 certificates above apply to B<all>
583b077aed3SPierre ProncheryCA certificates.
584b077aed3SPierre Pronchery
585b077aed3SPierre Pronchery
586b077aed3SPierre Pronchery=over 4
587b077aed3SPierre Pronchery
588b077aed3SPierre Pronchery=item B<SSL Client>
589b077aed3SPierre Pronchery
590b077aed3SPierre ProncheryThe extended key usage extension must be absent or include the "web client
591b077aed3SPierre Proncheryauthentication" OID.  The keyUsage extension must be absent or it must have the
592b077aed3SPierre ProncherydigitalSignature bit set.  The Netscape certificate type must be absent
593b077aed3SPierre Proncheryor it must have the SSL client bit set.
594b077aed3SPierre Pronchery
595b077aed3SPierre Pronchery=item B<SSL Client CA>
596b077aed3SPierre Pronchery
597b077aed3SPierre ProncheryThe extended key usage extension must be absent or include the "web client
598b077aed3SPierre Proncheryauthentication" OID.
599b077aed3SPierre ProncheryThe Netscape certificate type must be absent or it must have the SSL CA bit set.
600b077aed3SPierre ProncheryThis is used as a work around if the basicConstraints extension is absent.
601b077aed3SPierre Pronchery
602b077aed3SPierre Pronchery=item B<SSL Server>
603b077aed3SPierre Pronchery
604b077aed3SPierre ProncheryThe extended key usage extension must be absent or include the "web server
605b077aed3SPierre Proncheryauthentication" and/or one of the SGC OIDs.  The keyUsage extension must be
606b077aed3SPierre Proncheryabsent or it
607b077aed3SPierre Proncherymust have the digitalSignature, the keyEncipherment set or both bits set.
608b077aed3SPierre ProncheryThe Netscape certificate type must be absent or have the SSL server bit set.
609b077aed3SPierre Pronchery
610b077aed3SPierre Pronchery=item B<SSL Server CA>
611b077aed3SPierre Pronchery
612b077aed3SPierre ProncheryThe extended key usage extension must be absent or include the "web server
613b077aed3SPierre Proncheryauthentication" and/or one of the SGC OIDs.  The Netscape certificate type must
614b077aed3SPierre Proncherybe absent or the SSL CA bit must be set.
615b077aed3SPierre ProncheryThis is used as a work around if the basicConstraints extension is absent.
616b077aed3SPierre Pronchery
617b077aed3SPierre Pronchery=item B<Netscape SSL Server>
618b077aed3SPierre Pronchery
619b077aed3SPierre ProncheryFor Netscape SSL clients to connect to an SSL server it must have the
620b077aed3SPierre ProncherykeyEncipherment bit set if the keyUsage extension is present. This isn't
621b077aed3SPierre Proncheryalways valid because some cipher suites use the key for digital signing.
622b077aed3SPierre ProncheryOtherwise it is the same as a normal SSL server.
623b077aed3SPierre Pronchery
624b077aed3SPierre Pronchery=item B<Common S/MIME Client Tests>
625b077aed3SPierre Pronchery
626b077aed3SPierre ProncheryThe extended key usage extension must be absent or include the "email
627b077aed3SPierre Proncheryprotection" OID.  The Netscape certificate type must be absent or should have the
628b077aed3SPierre ProncheryS/MIME bit set. If the S/MIME bit is not set in the Netscape certificate type
629b077aed3SPierre Proncherythen the SSL client bit is tolerated as an alternative but a warning is shown.
630b077aed3SPierre ProncheryThis is because some Verisign certificates don't set the S/MIME bit.
631b077aed3SPierre Pronchery
632b077aed3SPierre Pronchery=item B<S/MIME Signing>
633b077aed3SPierre Pronchery
634b077aed3SPierre ProncheryIn addition to the common S/MIME client tests the digitalSignature bit or
635b077aed3SPierre Proncherythe nonRepudiation bit must be set if the keyUsage extension is present.
636b077aed3SPierre Pronchery
637b077aed3SPierre Pronchery=item B<S/MIME Encryption>
638b077aed3SPierre Pronchery
639b077aed3SPierre ProncheryIn addition to the common S/MIME tests the keyEncipherment bit must be set
640b077aed3SPierre Proncheryif the keyUsage extension is present.
641b077aed3SPierre Pronchery
642b077aed3SPierre Pronchery=item B<S/MIME CA>
643b077aed3SPierre Pronchery
644b077aed3SPierre ProncheryThe extended key usage extension must be absent or include the "email
645b077aed3SPierre Proncheryprotection" OID.  The Netscape certificate type must be absent or must have the
646b077aed3SPierre ProncheryS/MIME CA bit set.
647b077aed3SPierre ProncheryThis is used as a work around if the basicConstraints extension is absent.
648b077aed3SPierre Pronchery
649b077aed3SPierre Pronchery=item B<CRL Signing>
650b077aed3SPierre Pronchery
651b077aed3SPierre ProncheryThe keyUsage extension must be absent or it must have the CRL signing bit
652b077aed3SPierre Proncheryset.
653b077aed3SPierre Pronchery
654b077aed3SPierre Pronchery=item B<CRL Signing CA>
655b077aed3SPierre Pronchery
656b077aed3SPierre ProncheryThe normal CA tests apply. Except in this case the basicConstraints extension
657b077aed3SPierre Proncherymust be present.
658b077aed3SPierre Pronchery
659b077aed3SPierre Pronchery=back
660b077aed3SPierre Pronchery
661b077aed3SPierre Pronchery=head1 BUGS
662b077aed3SPierre Pronchery
663b077aed3SPierre ProncheryThe issuer checks still suffer from limitations in the underlying X509_LOOKUP
664b077aed3SPierre ProncheryAPI.  One consequence of this is that trusted certificates with matching
665b077aed3SPierre Proncherysubject name must appear in a file (as specified by the B<-CAfile> option),
666b077aed3SPierre Proncherya directory (as specified by B<-CApath>),
667b077aed3SPierre Proncheryor a store (as specified by B<-CAstore>).
668b077aed3SPierre ProncheryIf there are multiple such matches, possibly in multiple locations,
669b077aed3SPierre Proncheryonly the first one (in the mentioned order of locations) is recognised.
670b077aed3SPierre Pronchery
671b077aed3SPierre Pronchery=head1 SEE ALSO
672b077aed3SPierre Pronchery
673b077aed3SPierre ProncheryL<X509_verify_cert(3)>,
674b077aed3SPierre ProncheryL<openssl-verify(1)>,
675b077aed3SPierre ProncheryL<openssl-ocsp(1)>,
676b077aed3SPierre ProncheryL<openssl-ts(1)>,
677b077aed3SPierre ProncheryL<openssl-s_client(1)>,
678b077aed3SPierre ProncheryL<openssl-s_server(1)>,
679b077aed3SPierre ProncheryL<openssl-smime(1)>,
680b077aed3SPierre ProncheryL<openssl-cmp(1)>,
681b077aed3SPierre ProncheryL<openssl-cms(1)>
682b077aed3SPierre Pronchery
683b077aed3SPierre Pronchery=head1 HISTORY
684b077aed3SPierre Pronchery
685b077aed3SPierre ProncheryThe checks enabled by B<-x509_strict> have been extended in OpenSSL 3.0.
686b077aed3SPierre Pronchery
687b077aed3SPierre Pronchery=head1 COPYRIGHT
688b077aed3SPierre Pronchery
689*a7148ab3SEnji CooperCopyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
690b077aed3SPierre Pronchery
691b077aed3SPierre ProncheryLicensed under the Apache License 2.0 (the "License").  You may not use
692b077aed3SPierre Proncherythis file except in compliance with the License.  You can obtain a copy
693b077aed3SPierre Proncheryin the file LICENSE in the source distribution or at
694b077aed3SPierre ProncheryL<https://www.openssl.org/source/license.html>.
695b077aed3SPierre Pronchery
696b077aed3SPierre Pronchery=cut
697