openssl-verification-options.1 - OpenGrok cross reference for /freebsd-src/secure/usr.bin/openssl/man/openssl-verification-options.1

Lines Matching full:must
236 In this case it must fully match a trust anchor, otherwise chain building fails.
269 must have extensions compatible with the specified purpose.
270 All certificates except the target or \*(L"leaf\*(R" must also be valid \s-1CA\s0 certificates.
276 It must be trusted for the given use.
368 The basicConstraints of \s-1CA\s0 certificates must be marked critical.
370 \&\s-1CA\s0 certificates must explicitly include the keyUsage extension.
372 If a pathlenConstraint is given the key usage keyCertSign must be allowed.
374 The pathlenConstraint must not be given for non-CA certificates.
376 The issuer name of any certificate must not be empty.
379 without subjectAlternativeName must not be empty.
381 If a subjectAlternativeName extension is given it must not be empty.
383 The signatureAlgorithm field and the cert signature must be consistent.
386 must not be marked critical.
388 The authorityKeyIdentifier must be given for X.509v3 certs unless they
391 The subjectKeyIdentifier must be given for all X.509v3 \s-1CA\s0 certs.
430 chain to validate, the public keys of all the certificates must meet the
605 made on the uses of the certificate. A \s-1CA\s0 certificate \fBmust\fR have the
620 The extended key usage extension must be absent or include the \*(L"web client
621 authentication\*(R" \s-1OID.\s0  The keyUsage extension must be absent or it must have the
622 digitalSignature bit set.  The Netscape certificate type must be absent
623 or it must have the \s-1SSL\s0 client bit set.
626 The extended key usage extension must be absent or include the \*(L"web client
628 The Netscape certificate type must be absent or it must have the \s-1SSL CA\s0 bit set.
632 The extended key usage extension must be absent or include the \*(L"web server
633 authentication\*(R" and/or one of the \s-1SGC\s0 OIDs.  The keyUsage extension must be
635 must have the digitalSignature, the keyEncipherment set or both bits set.
636 The Netscape certificate type must be absent or have the \s-1SSL\s0 server bit set.
639 The extended key usage extension must be absent or include the \*(L"web server
640 authentication\*(R" and/or one of the \s-1SGC\s0 OIDs.  The Netscape certificate type must
641 be absent or the \s-1SSL CA\s0 bit must be set.
645 For Netscape \s-1SSL\s0 clients to connect to an \s-1SSL\s0 server it must have the
651 The extended key usage extension must be absent or include the \*(L"email
652 protection\*(R" \s-1OID.\s0  The Netscape certificate type must be absent or should have the
659 the nonRepudiation bit must be set if the keyUsage extension is present.
662 In addition to the common S/MIME tests the keyEncipherment bit must be set
666 The extended key usage extension must be absent or include the \*(L"email
667 protection\*(R" \s-1OID.\s0  The Netscape certificate type must be absent or must have the
672 The keyUsage extension must be absent or it must have the \s-1CRL\s0 signing bit
677 must be present.
682 subject name must appear in a file (as specified by the \fB\-CAfile\fR option),