generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Update X509v3 doc.

Browse Source
This commit is contained in:
Dr. Stephen Henson 2004-11-17 00:55:43 +00:00
parent 37dccd8ff2
commit 5dd87981bf
1 changed files with 43 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
doc/apps/x509v3_config.pod
View File

@ -50,7 +50,7 @@ use is defined by the extension code itself: check out the certificate
policies extension for an example. policies extension for an example.
If an extension type is unsupported then the I<arbitrary> extension syntax If an extension type is unsupported then the I<arbitrary> extension syntax
must be used, see the ARBITRARY EXTENSION section for more details. must be used, see the L<ARBITRART EXTENSIONS|/"ARBITRARY EXTENSIONS"> section for more details.
=head1 STANDARD EXTENSIONS =head1 STANDARD EXTENSIONS
@ -148,8 +148,12 @@ identifier from the parent certificate. If the value "always" is present
then an error is returned if the option fails. then an error is returned if the option fails.
The issuer option copies the issuer and serial number from the issuer The issuer option copies the issuer and serial number from the issuer
certificate. Normally this will only be done if the keyid option fails or certificate. This will only be done if the keyid option fails or
is not included: the "always" flag will always include the value. is not included unless the "always" flag will always include the value.
Example:
authorityKeyIdentifier=keyid,issuer
=head2 Subject Alternative Name. =head2 Subject Alternative Name.
@ -237,7 +241,7 @@ Examples:
=head2 Certificate Policies. =head2 Certificate Policies.
This is a B<raw> extension. All the fields of this extension can be set by This is a I<raw> extension. All the fields of this extension can be set by
using the appropriate syntax. using the appropriate syntax.
If you follow the PKIX recommendations and just using one OID then you just If you follow the PKIX recommendations and just using one OID then you just
@ -308,10 +312,26 @@ Example:
inhibitAnyPolicy = 2 inhibitAnyPolicy = 2
=head2 Name Constraints
The name constraints extension is a multi-valued extension. The name should
begin with the word B<permitted> or B<excluded> followed by a B<;>. The rest of
the name and the value follows the syntax of subjectAltName except email:copy
is not supported and the B<IP> form should consist of an IP addresses and
subnet mask separated by a B</>.
Examples:
nameConstraints=permitted;IP:192.168.0.0/255.255.0.0
nameConstraints=permitted;email:.somedomain.com
nameConstraints=excluded;email:.com
=head1 DEPRECATED EXTENSIONS =head1 DEPRECATED EXTENSIONS
The following extensions are considered non standard, Netscape specific and The following extensions are non standard, Netscape specific and largely
largely obsolete. Their use in new applications is discouraged. obsolete. Their use in new applications is discouraged.
=head2 Netscape String extensions. =head2 Netscape String extensions.
@ -415,3 +435,20 @@ will only recognize the last value. This can be worked around by using the form:
email.1=steve@here email.1=steve@here
email.2=steve@there email.2=steve@there
=head1 HISTORY
The X509v3 extension code was first added to OpenSSL 0.9.2.
Policy mappings, name constraints, inhibit any policy and name
constraints support was added in OpenSSL 0.9.8
The B<directoryName> and B<otherName> option as well as the B<ASN1> option
for arbitrary extensions was added in OpenSSL 0.9.8
=head1 SEE ALSO
L<req(1)|req(1)>, L<ca(1)|ca(1)>, L<x509(1)|x509(1)>
=cut