summaryrefslogtreecommitdiff
path: root/doc/man1
diff options
context:
space:
mode:
authorDr. David von Oheimb <David.von.Oheimb@siemens.com>2022-12-19 10:56:50 +0100
committerTomas Mraz <tomas@openssl.org>2023-02-08 16:29:00 +0100
commit260878f7aab7b077f4ef9496e3541ec8c19c9d1c (patch)
treebbc2c608d604b6ce31dfd061d84ac206749bf2bb /doc/man1
parenta8aad913ecc632405096b2b61942b2c782cc74f4 (diff)
downloadopenssl-new-260878f7aab7b077f4ef9496e3541ec8c19c9d1c.tar.gz
CMP app and doc: improve texts on (un-)trusted certs, srvCert, etc.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19946)
Diffstat (limited to 'doc/man1')
-rw-r--r--doc/man1/openssl-cmp.pod.in39
1 files changed, 20 insertions, 19 deletions
diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in
index 5d40a28747..dad1254558 100644
--- a/doc/man1/openssl-cmp.pod.in
+++ b/doc/man1/openssl-cmp.pod.in
@@ -528,15 +528,15 @@ Default is 0.
=item B<-trusted> I<filenames>|I<uris>
-When validating signature-based protection of CMP response messages,
-these are the CA certificate(s) to trust while checking certificate chains
-during CMP server authentication.
-This option gives more flexibility than the B<-srvcert> option because the
-server-side CMP signer certificate is not pinned but may be any certificate
-for which a chain to one of the given trusted certificates can be constructed.
+The certificate(s), typically of root CAs, the client shall use as trust anchors
+when validating signature-based protection of CMP response messages.
+This option is ignored if the B<-srvcert> option is given as well.
+It provides more flexibility than B<-srvcert> because the CMP protection
+certificate of the server is not pinned but may be any certificate
+from which a chain to one of the given trust anchors can be constructed.
-If no B<-trusted>, B<-srvcert>, and B<-secret> option is given
-then protected response messages from the server are not authenticated.
+If none of B<-trusted>, B<-srvcert>, and B<-secret> is given, message validation
+errors will be thrown unless B<-unprotected_errors> permits an exception.
Multiple sources may be given, separated by commas and/or whitespace
(where in the latter case the whole argument must be enclosed in "...").
@@ -551,24 +551,24 @@ have no effect on the certificate verification enabled via this option.
Non-trusted intermediate CA certificate(s).
Any extra certificates given with the B<-cert> option are appended to it.
All these certificates may be useful for cert path construction
-for the CMP client certificate (to include in the extraCerts field of outgoing
-messages) and for the TLS client certificate (if TLS is enabled)
+for the own CMP signer certificate (to include in the extraCerts field of
+request messages) and for the TLS client certificate (if TLS is enabled)
as well as for chain building
-when validating the CMP server certificate (checking signature-based
+when validating server certificates (checking signature-based
CMP message protection) and when validating newly enrolled certificates.
-Multiple sources may be given, separated by commas and/or whitespace.
-Each file may contain multiple certificates.
+Multiple filenames or URLs may be given, separated by commas and/or whitespace.
+Each source may contain multiple certificates.
=item B<-srvcert> I<filename>|I<uri>
The specific CMP server certificate to expect and directly trust (even if it is
-expired) when validating signature-based protection of CMP response messages.
-May be set alternatively to the B<-trusted> option to pin the accepted server.
+expired) when verifying signature-based protection of CMP response messages.
+This pins the accepted server and results in ignoring the B<-trusted> option.
If set, the subject of the certificate is also used
as default value for the recipient of CMP requests
-and as default value for the expected sender of incoming CMP messages.
+and as default value for the expected sender of CMP responses.
=item B<-expect_sender> I<name>
@@ -588,8 +588,8 @@ For details see the description of the B<-subject> option.
=item B<-ignore_keyusage>
Ignore key usage restrictions in CMP signer certificates when validating
-signature-based protection of incoming CMP messages,
-else C<digitalSignature> must be allowed for signer certificate.
+signature-based protection of incoming CMP messages.
+By default, C<digitalSignature> must be allowed by CMP signer certificates.
=item B<-unprotected_errors>
@@ -744,7 +744,7 @@ Each source may contain multiple certificates.
=item B<-unprotected_requests>
-Send messages without CMP-level protection.
+Send request messages without CMP-level protection.
=back
@@ -1040,6 +1040,7 @@ Accept missing or invalid protection of requests.
=item B<-accept_unprot_err>
Accept unprotected error messages from client.
+So far this has no effect because the server does not accept any error messages.
=item B<-accept_raverified>