B<openssl> B<verify>
[B<-CAfile file>]
[B<-CApath directory>]
+[B<-no-CAfile>]
+[B<-no-CApath>]
[B<-attime timestamp>]
[B<-check_ss_sig>]
-[B<-crlfile file>]
+[B<-CRLfile file>]
+[B<-crl_download>]
[B<-crl_check>]
[B<-crl_check_all>]
[B<-explicit_policy>]
[B<-trusted_first>]
[B<-no_alt_chains>]
[B<-untrusted file>]
+[B<-trusted file>]
[B<-use_deltas>]
[B<-verbose>]
[B<-verify_depth num>]
[B<-verify_ip ip>]
[B<-verify_name name>]
[B<-x509_strict>]
+[B<-show_chain>]
[B<->]
[certificates]
of the B<x509> utility). Under Unix the B<c_rehash> script will automatically
create symbolic links to a directory of certificates.
+=item B<-no-CAfile>
+
+Do not load the trusted CA certificates from the default file location
+
+=item B<-no-CApath>
+
+Do not load the trusted CA certificates from the default directory location
+
=item B<-attime timestamp>
Perform validation checks using time specified by B<timestamp> and not
Verify the signature on the self-signed root CA. This is disabled by default
because it doesn't add any security.
-=item B<-crlfile file>
+=item B<-CRLfile file>
File containing one or more CRL's (in PEM format) to load.
+=item B<-crl_download>
+
+Attempt to download CRL information for this certificate.
+
=item B<-crl_check>
Checks end entity certificate validity by attempting to look up a valid CRL.
=item B<-untrusted file>
-A file of untrusted certificates. The file should contain multiple certificates
-in PEM format concatenated together.
+A file of untrusted certificates. The file should contain one or more
+certificates in PEM format.
+
+=item B<-trusted file>
+
+A file of trusted certificates. The file contain one or more
+certificates in PEM format.
+With this option, no additional (e.g., default) certificate lists
+are consulted. That is, the only trusted issuers are those listed
+in B<file>.
+This option cannot be used with the B<-CAfile> or B<-CApath> options.
=item B<-use_deltas>
For strict X.509 compliance, disable non-compliant workarounds for broken
certificates.
+=item B<-show_chain>
+
+Display information about the certificate chain that has been built (if
+successful). Certificates in the chain that came from the untrusted list will be
+flagged as "untrusted".
+
=item B<->
Indicates the last option. All arguments following this are assumed to be
to be the root CA.
The process of 'looking up the issuers certificate' itself involves a number
-of steps. In versions of OpenSSL before 0.9.5a the first certificate whose
-subject name matched the issuer of the current certificate was assumed to be
-the issuers certificate. In OpenSSL 0.9.6 and later all certificates
+of steps.
+Ater all certificates
whose subject name matches the issuer name of the current certificate are
subject to further tests. The relevant authority key identifier components
of the current certificate (if present) must match the subject key identifier
=head1 SEE ALSO
-L<x509(1)|x509(1)>
+L<x509(1)>
=head1 HISTORY
-The -no_alt_chains options was first added to OpenSSL 1.1.0.
+The -show_chain option was first added to OpenSSL 1.1.0.
=cut