policies extension for an example.
If an extension type is unsupported then the I<arbitrary> extension syntax
-must be used, see the L<ARBITRARY EXTENSIONS|/"ARBITRARY EXTENSIONS"> section for more details.
+must be used, see the L</ARBITRARY EXTENSIONS> section for more details.
=head1 STANDARD EXTENSIONS
The following sections describe each supported extension in detail.
-=head2 Basic Constraints.
+=head2 Basic Constraints
This is a multi valued extension which indicates whether a certificate is
a CA certificate. The first (mandatory) name is B<CA> followed by B<TRUE> or
-B<FALSE>. If B<CA> is B<TRUE> then an optional B<pathlen> name followed by an
+B<FALSE>. If B<CA> is B<TRUE> then an optional B<pathlen> name followed by a
non-negative value can be included.
For example:
only be used to sign end user certificates and not further CAs.
-=head2 Key Usage.
+=head2 Key Usage
Key usage is a multi valued extension consisting of a list of names of the
permitted key usages.
keyUsage=critical, keyCertSign
-=head2 Extended Key Usage.
+=head2 Extended Key Usage
This extensions consists of a list of usages indicating purposes for which
the certificate public key can be used for,
extendedKeyUsage=serverAuth,clientAuth
-=head2 Subject Key Identifier.
+=head2 Subject Key Identifier
This is really a string extension and can take two possible values. Either
the word B<hash> which will automatically follow the guidelines in RFC3280
subjectKeyIdentifier=hash
-=head2 Authority Key Identifier.
+=head2 Authority Key Identifier
The authority key identifier extension permits two options. keyid and issuer:
both can take the optional value "always".
authorityKeyIdentifier=keyid,issuer
-=head2 Subject Alternative Name.
+=head2 Subject Alternative Name
The subject alternative name extension allows various literal values to be
included in the configuration file. These include B<email> (an email address)
CN=My Name
-=head2 Issuer Alternative Name.
+=head2 Issuer Alternative Name
The issuer alternative name option supports all the literal options of
subject alternative name. It does B<not> support the email:copy option because
Example:
- issuserAltName = issuer:copy
+ issuerAltName = issuer:copy
-=head2 Authority Info Access.
+=head2 Authority Info Access
The authority information access extension gives details about how to access
certain information relating to the CA. Its syntax is accessOID;location
CN=Some Name
-=head2 Certificate Policies.
+=head2 Certificate Policies
This is a I<raw> extension. All the fields of this extension can be set by
using the appropriate syntax.
noticeNumbers=1,2,3,4
The B<ia5org> option changes the type of the I<organization> field. In RFC2459
-it can only be of type DisplayText. In RFC3280 IA5Strring is also permissible.
+it can only be of type DisplayText. In RFC3280 IA5String is also permissible.
Some software (for example some versions of MSIE) may require ia5org.
+ASN1 type of explicitText can be specified by prepending B<UTF8>,
+B<BMP> or B<VISIBLE> prefix followed by colon. For example:
+
+ [notice]
+ explicitText="UTF8:Explicit Text Here"
+
=head2 Policy Constraints
This is a multi-valued extension which consisting of the names
The following extensions are non standard, Netscape specific and largely
obsolete. Their use in new applications is discouraged.
-=head2 Netscape String extensions.
+=head2 Netscape String extensions
Netscape Comment (B<nsComment>) is a string extension containing a comment
which will be displayed when the certificate is viewed in some browsers.
basicConstraints=critical,DER:00:01:02:03
-=head1 WARNING
+=head1 WARNINGS
There is no guarantee that a specific implementation will process a given
extension. It may therefore be sometimes possible to use certificates for
The DER and ASN1 options should be used with caution. It is possible to create
totally invalid extensions if they are not used carefully.
-
=head1 NOTES
If an extension is multi-value and a field value must contain a comma the long
=head1 SEE ALSO
-L<req(1)>, L<ca(1)>, L<x509(1)>,
+L<openssl-req(1)>, L<openssl-ca(1)>, L<openssl-x509(1)>,
L<ASN1_generate_nconf(3)>
=head1 COPYRIGHT
Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved.
-Licensed under the OpenSSL license (the "License"). You may not use
+Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.