[B<-CApath directory>]
[B<-attime timestamp>]
[B<-check_ss_sig>]
+[B<-CRLfile file>]
+[B<-crl_download>]
[B<-crl_check>]
[B<-crl_check_all>]
[B<-explicit_policy>]
[B<-suiteB_128_only>]
[B<-suiteB_192>]
[B<-trusted_first>]
+[B<-no_alt_chains>]
[B<-untrusted file>]
+[B<-trusted file>]
[B<-use_deltas>]
[B<-verbose>]
[B<-verify_depth num>]
[B<-verify_ip ip>]
[B<-verify_name name>]
[B<-x509_strict>]
+[B<-show_chain>]
[B<->]
[certificates]
Verify the signature on the self-signed root CA. This is disabled by default
because it doesn't add any security.
+=item B<-CRLfile file>
+
+File containing one or more CRL's (in PEM format) to load.
+
+=item B<-crl_download>
+
+Attempt to download CRL information for this certificate.
+
=item B<-crl_check>
Checks end entity certificate validity by attempting to look up a valid CRL.
file when building the trust chain to verify certificates.
This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
+=item B<-no_alt_chains>
+
+When building a certificate chain, if the first certificate chain found is not
+trusted, then OpenSSL will continue to check to see if an alternative chain can
+be found that is trusted. With this option that behaviour is suppressed so that
+only the first chain found is ever used. Using this option will force the
+behaviour to match that of OpenSSL versions prior to 1.1.0.
+
=item B<-untrusted file>
-A file of untrusted certificates. The file should contain multiple certificates
-in PEM format concatenated together.
+A file of untrusted certificates. The file should contain one or more
+certificates in PEM format.
+
+=item B<-trusted file>
+
+A file of trusted certificates. The file contain one or more
+certificates in PEM format.
+With this option, no additional (e.g., default) certificate lists
+are consulted. That is, the only trusted issuers are those listed
+in B<file>.
+This option cannot be used with the B<-CAfile> or B<-CApath> options.
=item B<-use_deltas>
=item B<-verify_email email>
Verify if the B<email> matches the email address in Subject Alternative Name or
-the email the subject Distinguished Name.
+the email in the subject Distinguished Name.
=item B<-verify_hostname hostname>
For strict X.509 compliance, disable non-compliant workarounds for broken
certificates.
+=item B<-show_chain>
+
+Display information about the certificate chain that has been built (if
+successful). Certificates in the chain that came from the untrusted list will be
+flagged as "untrusted".
+
=item B<->
Indicates the last option. All arguments following this are assumed to be
Although the issuer checks are a considerable improvement over the old technique they still
suffer from limitations in the underlying X509_LOOKUP API. One consequence of this is that
trusted certificates with matching subject name must either appear in a file (as specified by the
-B<-CAfile> option) or a directory (as specified by B<-CApath>. If they occur in both then only
+B<-CAfile> option) or a directory (as specified by B<-CApath>). If they occur in both then only
the certificates in the file will be recognised.
Previous versions of OpenSSL assume certificates with matching subject name are identical and
=head1 SEE ALSO
-L<x509(1)|x509(1)>
+L<x509(1)>
+
+=head1 HISTORY
+
+The -show_chain option was first added to OpenSSL 1.1.0.
=cut