Fixed typo in rsautl.pod

[openssl.git] / doc / apps / verify.pod

diff --git a/doc/apps/verify.pod b/doc/apps/verify.pod
index 9cc7fcb817917b6adba6e53999b2385163d66303..74477e5c0ff50309d125fe12cf9ef1bd5f64cad8 100644 (file)
--- a/doc/apps/verify.pod
+++ b/doc/apps/verify.pod
@@ -9,6 +9,8 @@ verify - Utility to verify certificates.
 B<openssl> B<verify>
 [B<-CAfile file>]
 [B<-CApath directory>]
+[B<-no-CAfile>]
+[B<-no-CApath>]
 [B<-attime timestamp>]
 [B<-check_ss_sig>]
 [B<-CRLfile file>]
@@ -68,6 +70,14 @@ form ("hash" is the hashed certificate subject name: see the B<-hash> option
 of the B<x509> utility). Under Unix the B<c_rehash> script will automatically
 create symbolic links to a directory of certificates.
 
+=item B<-no-CAfile>
+
+Do not load the trusted CA certificates from the default file location
+
+=item B<-no-CApath>
+
+Do not load the trusted CA certificates from the default directory location
+
 =item B<-attime timestamp>
 
 Perform validation checks using time specified by B<timestamp> and not
@@ -182,13 +192,17 @@ behaviour to match that of OpenSSL versions prior to 1.1.0.
 
 =item B<-untrusted file>
 
-A file of untrusted certificates. The file should contain multiple certificates
-in PEM format concatenated together.
+A file of untrusted certificates. The file should contain one or more
+certificates in PEM format.
 
 =item B<-trusted file>
 
-A file of additional trusted certificates. The file should contain multiple
-certificates in PEM format concatenated together.
+A file of trusted certificates. The file contain one or more
+certificates in PEM format.
+With this option, no additional (e.g., default) certificate lists
+are consulted. That is, the only trusted issuers are those listed
+in B<file>.
+This option cannot be used with the B<-CAfile> or B<-CApath> options.
 
 =item B<-use_deltas>
 
@@ -269,9 +283,8 @@ certificate. If a certificate is found which is its own issuer it is assumed
 to be the root CA.
 
 The process of 'looking up the issuers certificate' itself involves a number
-of steps. In versions of OpenSSL before 0.9.5a the first certificate whose
-subject name matched the issuer of the current certificate was assumed to be
-the issuers certificate. In OpenSSL 0.9.6 and later all certificates
+of steps.
+Ater all certificates
 whose subject name matches the issuer name of the current certificate are 
 subject to further tests. The relevant authority key identifier components
 of the current certificate (if present) must match the subject key identifier
@@ -294,7 +307,7 @@ the B<CERTIFICATE EXTENSIONS> section of the B<x509> utility.
 
 The third operation is to check the trust settings on the root CA. The root
 CA should be trusted for the supplied purpose. For compatibility with previous
-versions of SSLeay and OpenSSL a certificate with no trust settings is considered
+versions of OpenSSL, a certificate with no trust settings is considered
 to be valid for all purposes. 
 
 The final operation is to check the validity of the certificate chain. The validity
@@ -494,7 +507,7 @@ B<20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY> error codes.
 
 =head1 SEE ALSO
 
-L<x509(1)|x509(1)>
+L<x509(1)>
 
 =head1 HISTORY