X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=doc%2Fapps%2Fx509v3_config.pod;h=edfd76e125a0098d5a60fe52410d81a2f485b86a;hp=fe9b7501669b9c33ddfa0fb3fef3274ada15cc6d;hb=0e74d7ca440a3a7fbb7ddd6873e2f494d87f8d0e;hpb=085ccc542a3a65014e7ddfdb50824c78e644e437 diff --git a/doc/apps/x509v3_config.pod b/doc/apps/x509v3_config.pod index fe9b750166..edfd76e125 100644 --- a/doc/apps/x509v3_config.pod +++ b/doc/apps/x509v3_config.pod @@ -88,7 +88,7 @@ only be used to sign end user certificates and not further CAs. Key usage is a multi valued extension consisting of a list of names of the permitted key usages. -The supporte names are: digitalSignature, nonRepudiation, keyEncipherment, +The supported names are: digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly and decipherOnly. @@ -104,28 +104,28 @@ Examples: This extensions consists of a list of usages indicating purposes for which the certificate public key can be used for, -These can either be object short names of the dotted numerical form of OIDs. +These can either be object short names or the dotted numerical form of OIDs. While any OID can be used only certain values make sense. In particular the following PKIX, NS and MS values are meaningful: - Value Meaning - ----- ------- - serverAuth SSL/TLS Web Server Authentication. - clientAuth SSL/TLS Web Client Authentication. - codeSigning Code signing. - emailProtection E-mail Protection (S/MIME). - timeStamping Trusted Timestamping - msCodeInd Microsoft Individual Code Signing (authenticode) - msCodeCom Microsoft Commercial Code Signing (authenticode) - msCTLSign Microsoft Trust List Signing - msSGC Microsoft Server Gated Crypto - msEFS Microsoft Encrypted File System - nsSGC Netscape Server Gated Crypto + Value Meaning + ----- ------- + serverAuth SSL/TLS Web Server Authentication. + clientAuth SSL/TLS Web Client Authentication. + codeSigning Code signing. + emailProtection E-mail Protection (S/MIME). + timeStamping Trusted Timestamping + OCSPSigning OCSP Signing + ipsecIKE ipsec Internet Key Exchange + msCodeInd Microsoft Individual Code Signing (authenticode) + msCodeCom Microsoft Commercial Code Signing (authenticode) + msCTLSign Microsoft Trust List Signing + msEFS Microsoft Encrypted File System Examples: extendedKeyUsage=critical,codeSigning,1.2.3.4 - extendedKeyUsage=nsSGC,msSGC + extendedKeyUsage=serverAuth,clientAuth =head2 Subject Key Identifier. @@ -174,11 +174,11 @@ The IP address used in the B options can be in either IPv4 or IPv6 format. The value of B should point to a section containing the distinguished name to use as a set of name value pairs. Multi values AVAs can be formed by -preceding the name with a B<+> character. +prefacing the name with a B<+> character. otherName can include arbitrary data associated with an OID: the value should be the OID followed by a semicolon and the content in standard -L format. +L format. Examples: @@ -202,7 +202,7 @@ Examples: The issuer alternative name option supports all the literal options of subject alternative name. It does B support the email:copy option because that would not make sense. It does support an additional issuer:copy option -that will copy all the subject alternative name values from the issuer +that will copy all the subject alternative name values from the issuer certificate (if possible). Example: @@ -224,7 +224,7 @@ Example: authorityInfoAccess = caIssuers;URI:http://my.ca/ca.html -=head2 CRL distribution points. +=head2 CRL distribution points This is a multi-valued extension whose options can be either in name:value pair using the same form as subject alternative name or a single value representing @@ -358,7 +358,7 @@ Some software (for example some versions of MSIE) may require ia5org. =head2 Policy Constraints This is a multi-valued extension which consisting of the names -B or B and a non negative intger +B or B and a non negative integer value. At least one component must be present. Example: @@ -380,7 +380,7 @@ Example: The name constraints extension is a multi-valued extension. The name should begin with the word B or B followed by a B<;>. The rest of the name and the value follows the syntax of subjectAltName except email:copy -is not supported and the B form should consist of an IP addresses and +is not supported and the B form should consist of an IP addresses and subnet mask separated by a B. Examples: @@ -401,6 +401,20 @@ Example: noCheck = ignored +=head2 TLS Feature (aka Must Staple) + +This is a multi-valued extension consisting of a list of TLS extension +identifiers. Each identifier may be a number (0..65535) or a supported name. +When a TLS client sends a listed extension, the TLS server is expected to +include that extension in its reply. + +The supported names are: B and B. + +Example: + + tlsfeature = status_request + + =head1 DEPRECATED EXTENSIONS The following extensions are non standard, Netscape specific and largely @@ -441,7 +455,7 @@ the data is formatted correctly for the given extension type. There are two ways to encode arbitrary extensions. The first way is to use the word ASN1 followed by the extension content -using the same syntax as L. +using the same syntax as L. For example: 1.2.3.4=critical,ASN1:UTF8String:Some random data @@ -491,7 +505,7 @@ will produce an error but the equivalent form: [subject_alt_section] subjectAltName=URI:ldap://somehost.com/CN=foo,OU=bar -is valid. +is valid. Due to the behaviour of the OpenSSL B library the same field name can only occur once in a section. This means that: @@ -510,20 +524,18 @@ will only recognize the last value. This can be worked around by using the form: email.1=steve@here email.2=steve@there -=head1 HISTORY - -The X509v3 extension code was first added to OpenSSL 0.9.2. - -Policy mappings, inhibit any policy and name constraints support was added in -OpenSSL 0.9.8 +=head1 SEE ALSO -The B and B option as well as the B option -for arbitrary extensions was added in OpenSSL 0.9.8 +L, L, L, +L -=head1 SEE ALSO +=head1 COPYRIGHT -L, L, L, -L +Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved. +Licensed under the OpenSSL license (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L. =cut