Diffstat (limited to 'doc/apps/verify.pod')
1 files changed, 13 insertions, 4 deletions
diff --git a/doc/apps/verify.pod b/doc/apps/verify.pod
index ff2629d2cf85..31875773e385 100644
@@ -66,6 +66,11 @@ certificate was rejected. However the presence of rejection messages
does not itself imply that anything is wrong: during the normal
verify process several rejections may take place.
+Verify the signature on the self-signed root CA. This is disabled by default
+because it doesn't add any security.
marks the last option. All arguments following this are assumed to be
@@ -166,8 +171,8 @@ the operation was successful.
=item B<2 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate>
-the issuer certificate could not be found: this occurs if the issuer certificate
-of an untrusted certificate cannot be found.
+the issuer certificate of a looked up certificate could not be found. This
+normally means the list of trusted certificates is not complete.
=item B<3 X509_V_ERR_UNABLE_TO_GET_CRL: unable to get certificate CRL>
@@ -244,8 +249,8 @@ be found locally.
=item B<20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate>
-the issuer certificate of a locally looked up certificate could not be found. This normally means
-the list of trusted certificates is not complete.
+the issuer certificate could not be found: this occurs if the issuer
+certificate of an untrusted certificate cannot be found.
=item B<21 X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first certificate>
@@ -321,6 +326,10 @@ the certificates in the file will be recognised.
Previous versions of OpenSSL assume certificates with matching subject name are identical and
+Previous versions of this documentation swapped the meaning of the
+B<20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY> error codes.
=head1 SEE ALSO