{"srv_trusted", OPT_SRV_TRUSTED, 's',
"Trusted certificates for client authentication"},
{"srv_untrusted", OPT_SRV_UNTRUSTED, 's',
- "Intermediate certs for constructing chains for CMP protection by client"},
+ "Intermediate certs that may be useful for verifying CMP protection"},
{"rsp_cert", OPT_RSP_CERT, 's',
"Certificate to be returned as mock enrollment result"},
{"rsp_extracerts", OPT_RSP_EXTRACERTS, 's',
=item B<-srv_untrusted> I<filenames>
-Intermediate certs for constructing chains for CMP protection by client.
+Intermediate CA certs that may be useful when verifying client certificates.
=item B<-rsp_cert> I<filename>
OSSL_CMP_CTX_get0_trustedStore() returns a pointer to the certificate store
containing trusted root CA certificates, which may be empty if unset.
-OSSL_CMP_CTX_set1_untrusted_certs() takes over a list of certificates containing
-non-trusted intermediate certs used for path construction in authentication
-of the CMP server and potentially others (TLS server, newly enrolled cert).
+OSSL_CMP_CTX_set1_untrusted_certs() sets up a list of non-trusted certificates
+of intermediate CAs that may be useful for path construction when authenticating
+the CMP server and when verifying newly enrolled certificates.
The reference counts of those certificates handled successfully are increased.
OSSL_CMP_CTX_get0_untrusted_certs(OSSL_CMP_CTX *ctx) returns a pointer to the
-list of untrusted certs, which my be empty if unset.
+list of untrusted certs, which may be empty if unset.
OSSL_CMP_CTX_set1_clCert() sets the client certificate in the given B<ctx>.
The public key of this B<clCert> must correspond to