Allow proxy certs to be present when verifying a chain

[openssl.git] / doc / apps / verify.pod

diff --git a/doc/apps/verify.pod b/doc/apps/verify.pod
index 051cd624f1f6be42ce9793a395bfcb7c517422c6..0fd1799af25a20c394f4bd15480d7a735d881397 100644 (file)
--- a/doc/apps/verify.pod
+++ b/doc/apps/verify.pod
@@ -12,6 +12,7 @@ B<openssl> B<verify>
 [B<-CApath directory>]
 [B<-no-CAfile>]
 [B<-no-CApath>]
+[B<-allow_proxy_certs>]
 [B<-attime timestamp>]
 [B<-check_ss_sig>]
 [B<-CRLfile file>]
@@ -83,6 +84,10 @@ Do not load the trusted CA certificates from the default file location
 
 Do not load the trusted CA certificates from the default directory location
 
+=item B<-allow_proxy_certs>
+
+Allow the verification of proxy certificates
+
 =item B<-attime timestamp>
 
 Perform validation checks using time specified by B<timestamp> and not
@@ -564,13 +569,18 @@ Invalid non-CA certificate has CA markings.
 
 Proxy path length constraint exceeded.
 
+=item B<X509_V_ERR_PROXY_SUBJECT_INVALID>
+
+Proxy certificate subject is invalid.  It MUST be the same as the issuer
+with a single CN component added.
+
 =item B<X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE>
 
 Key usage does not include digital signature.
 
 =item B<X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED>
 
-Proxy certificates not allowed, please set the appropriate flag.
+Proxy certificates not allowed, please use B<-allow_proxy_certs>.
 
 =item B<X509_V_ERR_INVALID_EXTENSION>