Linux "verify" Command Line Options and Examples

Utility to verify certificates

The verify command verifies certificate chains..

Usage:

openssl verify [-help] [-CAfile file] [-CApath directory] [-no-CAfile] [-no-CApath] [-allow_proxy_certs] [-attime timestamp] [-check_ss_sig] [-CRLfile file] [-crl_download] [-crl_check] [-crl_check_all] [-engine id] [-explicit_policy] [-extended_crl] [-ignore_critical] [-inhibit_any] [-inhibit_map] [-no_check_time] [-partial_chain] [-policy arg] [-policy_check] [-policy_print] [-purpose purpose] [-suiteB_128] [-suiteB_128_only] [-suiteB_192] [-trusted_first] [-no_alt_chains] [-untrusted file] [-trusted file] [-use_deltas] [-verbose] [-auth_level level] [-verify_depth num] [-verify_email email] [-verify_hostname hostname] [-verify_ip ip] [-verify_name name] [-x509_strict] [-show_chain] [-] [certificates]

Command Line Options:

-help

Print out a usage message.


                            verify -help ...

-CAfile

A file of trusted certificates. The file should contain one or more certificates in PEM format.


                            verify -CAfile ...

-CApath

A directory of trusted certificates. The certificates should have names of the form: hash.0 or havesymbolic links to them of this form ("hash" is the hashed certificate subject name: see the -hash optionof the x509 utility). Under Unix the c_rehash script will automatically create symbolic links to adirectory of certificates.


                            verify -CApath ...

-no-CAfile

Do not load the trusted CA certificates from the default file location


                            verify -no-CAfile ...

-no-CApath

Do not load the trusted CA certificates from the default directory location


                            verify -no-CApath ...

-allow_proxy_certs

Allow the verification of proxy certificates


                            verify -allow_proxy_certs ...

-attime

Perform validation checks using time specified by timestamp and not current system time. timestamp is thenumber of seconds since 01.01.1970 (UNIX time).


                            verify -attime ...

-check_ss_sig

Verify the signature on the self-signed root CA. This is disabled by default because it doesn't add anysecurity.


                            verify -check_ss_sig ...

-CRLfile

The file should contain one or more CRLs in PEM format. This option can be specified more than once toinclude CRLs from multiple files.


                            verify -CRLfile ...

-crl_download

Attempt to download CRL information for this certificate.


                            verify -crl_download ...

-crl_check

Checks end entity certificate validity by attempting to look up a valid CRL. If a valid CRL cannot befound an error occurs.


                            verify -crl_check ...

-crl_check_all

Checks the validity of all certificates in the chain by attempting to look up valid CRLs.


                            verify -crl_check_all ...

-engine

Specifying an engine id will cause verify(1) to attempt to load the specified engine. The engine willthen be set as the default for all its supported algorithms. If you want to load certificates or CRLsthat require engine support via any of the -trusted, -untrusted or -CRLfile options, the -engine optionmust be specified before those options.


                            verify -engine ...

-explicit_policy

Set policy variable require-explicit-policy (see RFC5280).


                            verify -explicit_policy ...

-extended_crl

Enable extended CRL features such as indirect CRLs and alternate CRL signing keys.


                            verify -extended_crl ...

-ignore_critical

Normally if an unhandled critical extension is present which is not supported by OpenSSL the certificateis rejected (as required by RFC5280). If this option is set critical extensions are ignored.


                            verify -ignore_critical ...

-inhibit_any

Set policy variable inhibit-any-policy (see RFC5280).


                            verify -inhibit_any ...

-inhibit_map

Set policy variable inhibit-policy-mapping (see RFC5280).


                            verify -inhibit_map ...

-no_check_time

This option suppresses checking the validity period of certificates and CRLs against the current time. Ifoption -attime timestamp is used to specify a verification time, the check is not suppressed.


                            verify -no_check_time ...

-partial_chain

Allow verification to succeed even if a complete chain cannot be built to a self-signed trust-anchor,provided it is possible to construct a chain to a trusted certificate that might not be self-signed.


                            verify -partial_chain ...

-policy

Enable policy processing and add arg to the user-initial-policy-set (see RFC5280). The policy arg can bean object name an OID in numeric form. This argument can appear more than once.


                            verify -policy ...

-policy_check

Enables certificate policy processing.


                            verify -policy_check ...

-policy_print

Print out diagnostics related to policy processing.


                            verify -policy_print ...

-purpose

The intended use for the certificate. If this option is not specified, verify will not considercertificate purpose during chain verification. Currently accepted uses are sslclient, sslserver,nssslserver, smimesign, smimeencrypt. See the VERIFY OPERATION section for more information.


                            verify -purpose ...

-suiteB_128_only

enable the Suite B mode operation at 128 bit Level of Security, 128 bit or 192 bit, or only 192 bit Levelof Security respectively. See RFC6460 for details. In particular the supported signature algorithms arereduced to support only ECDSA and SHA256 or SHA384 and only the elliptic curves P-256 and P-384.


                            verify -suiteB_128_only ...

-trusted_first

When constructing the certificate chain, use the trusted certificates specified via -CAfile, -CApath or


                            verify -trusted_first ...

-no_alt_chains

By default, unless -trusted_first is specified, when building a certificate chain, if the firstcertificate chain found is not trusted, then OpenSSL will attempt to replace untrusted issuer certificateswith certificates from the trust store to see if an alternative chain can be found that is trusted. As ofOpenSSL 1.1.0, with -trusted_first always on, this option has no effect.


                            verify -no_alt_chains ...

-untrusted

A file of additional untrusted certificates (intermediate issuer CAs) used to construct a certificatechain from the subject certificate to a trust-anchor. The file should contain one or more certificates inPEM format. This option can be specified more than once to include untrusted certificates from multiplefiles.


                            verify -untrusted ...

-trusted

A file of trusted certificates, which must be self-signed, unless the -partial_chain option is specified.The file contains one or more certificates in PEM format. With this option, no additional (e.g., default)certificate lists are consulted. That is, the only trust-anchors are those listed in file. This optioncan be specified more than once to include trusted certificates from multiple files. This option impliesthe -no-CAfile and -no-CApath options. This option cannot be used in combination with either of the


                            verify -trusted ...

-use_deltas

Enable support for delta CRLs.


                            verify -use_deltas ...

-verbose

Print extra information about the operations being performed.


                            verify -verbose ...

-auth_level

Set the certificate chain authentication security level to level. The authentication security leveldetermines the acceptable signature and public key strength when verifying certificate chains. For acertificate chain to validate, the public keys of all the certificates must meet the specified securitylevel. The signature algorithm security level is enforced for all the certificates in the chain exceptfor the chain's trust anchor, which is either directly trusted or validated by means other than itssignature. See SSL_CTX_set_security_level(3) for the definitions of the available levels. The defaultsecurity level is -1, or "not set". At security level 0 or lower all algorithms are acceptable. Securitylevel 1 requires at least 80-bit-equivalent security and is broadly interoperable, though it will, forexample, reject MD5 signatures or RSA keys shorter than 1024 bits.


                            verify -auth_level ...

-verify_depth

Limit the certificate chain to num intermediate CA certificates. A maximal depth chain can have up tonum+2 certificates, since neither the end-entity certificate nor the trust-anchor certificate countagainst the -verify_depth limit.


                            verify -verify_depth ...

-verify_email

Verify if the email matches the email address in Subject Alternative Name or the email in the subjectDistinguished Name.


                            verify -verify_email ...

-verify_hostname

Verify if the hostname matches DNS name in Subject Alternative Name or Common Name in the subjectcertificate.


                            verify -verify_hostname ...

-verify_ip

Verify if the ip matches the IP address in Subject Alternative Name of the subject certificate.


                            verify -verify_ip ...

-verify_name

Use default verification policies like trust model and required certificate policies identified by name.The trust model determines which auxiliary trust or reject OIDs are applicable to verifying the givencertificate chain. See the -addtrust and -addreject options of the x509(1) command-line utility.Supported policy names include: default, pkcs7, smime_sign, ssl_client, ssl_server. These mimics thecombinations of purpose and trust settings used in SSL, CMS and S/MIME. As of OpenSSL 1.1.0, the trustmodel is inferred from the purpose when not specified, so the -verify_name options are functionallyequivalent to the corresponding -purpose settings.


                            verify -verify_name ...

-x509_strict

For strict X.509 compliance, disable non-compliant workarounds for broken certificates.


                            verify -x509_strict ...

-show_chain

Display information about the certificate chain that has been built (if successful). Certificates in thechain that came from the untrusted list will be flagged as "untrusted".


                            verify -show_chain ...