Commit 6a5fea7ec5 for openssl.org

commit 6a5fea7ec5df1c8cc4bb5006013301b41d0accd4
Author: Marcel Merkle <marcel.merkle@sap.com>
Date:   Mon Mar 9 10:01:28 2026 +0100

    Add more details to the certification path building documentation

    Added more details about the certification path building algorithm,
    especially about the behavior in case of incomplete chains in the trust
    store.

    Fixes #29681

    Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
    Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
    Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
    MergeDate: Tue Mar 24 17:24:15 2026
    (Merged from https://github.com/openssl/openssl/pull/30317)

diff --git a/doc/man1/openssl-verification-options.pod b/doc/man1/openssl-verification-options.pod
index 2fd0881fa2..8e4edf0af1 100644
--- a/doc/man1/openssl-verification-options.pod
+++ b/doc/man1/openssl-verification-options.pod
@@ -212,6 +212,12 @@ it must allow for certificate signing (keyCertSign).
 The lookup first searches for issuer certificates in the trust store.
 If it does not find a match there it consults
 the list of untrusted ("intermediate" CA) certificates, if provided.
+If one issuer certificate was found in the trust store, the list of
+untrusted certificates will not be consulted anymore to find further
+issuer certificates. Therefore, either only the root certificate or an
+uninterrupted chain to the root certificate must be provided in the trust
+store for a successful verification, if B<X509_V_FLAG_PARTIAL_CHAIN>
+is not enabled.

 =head2 Certification Path Validation