OLD | NEW |
1 =pod | 1 =pod |
2 | 2 |
3 =for comment openssl_manual_section:5 | 3 =for comment openssl_manual_section:5 |
4 | 4 |
5 =head1 NAME | 5 =head1 NAME |
6 | 6 |
7 x509v3_config - X509 V3 certificate extension configuration format | 7 x509v3_config - X509 V3 certificate extension configuration format |
8 | 8 |
9 =head1 DESCRIPTION | 9 =head1 DESCRIPTION |
10 | 10 |
(...skipping 34 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
45 pathlen=1 | 45 pathlen=1 |
46 | 46 |
47 Both forms are equivalent. | 47 Both forms are equivalent. |
48 | 48 |
49 The syntax of raw extensions is governed by the extension code: it can | 49 The syntax of raw extensions is governed by the extension code: it can |
50 for example contain data in multiple sections. The correct syntax to | 50 for example contain data in multiple sections. The correct syntax to |
51 use is defined by the extension code itself: check out the certificate | 51 use is defined by the extension code itself: check out the certificate |
52 policies extension for an example. | 52 policies extension for an example. |
53 | 53 |
54 If an extension type is unsupported then the I<arbitrary> extension syntax | 54 If an extension type is unsupported then the I<arbitrary> extension syntax |
55 must be used, see the L<ARBITRART EXTENSIONS|/"ARBITRARY EXTENSIONS"> section fo
r more details. | 55 must be used, see the L<ARBITRARY EXTENSIONS|/"ARBITRARY EXTENSIONS"> section fo
r more details. |
56 | 56 |
57 =head1 STANDARD EXTENSIONS | 57 =head1 STANDARD EXTENSIONS |
58 | 58 |
59 The following sections describe each supported extension in detail. | 59 The following sections describe each supported extension in detail. |
60 | 60 |
61 =head2 Basic Constraints. | 61 =head2 Basic Constraints. |
62 | 62 |
63 This is a multi valued extension which indicates whether a certificate is | 63 This is a multi valued extension which indicates whether a certificate is |
64 a CA certificate. The first (mandatory) name is B<CA> followed by B<TRUE> or | 64 a CA certificate. The first (mandatory) name is B<CA> followed by B<TRUE> or |
65 B<FALSE>. If B<CA> is B<TRUE> then an optional B<pathlen> name followed by an | 65 B<FALSE>. If B<CA> is B<TRUE> then an optional B<pathlen> name followed by an |
(...skipping 105 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
171 the extension. | 171 the extension. |
172 | 172 |
173 The IP address used in the B<IP> options can be in either IPv4 or IPv6 format. | 173 The IP address used in the B<IP> options can be in either IPv4 or IPv6 format. |
174 | 174 |
175 The value of B<dirName> should point to a section containing the distinguished | 175 The value of B<dirName> should point to a section containing the distinguished |
176 name to use as a set of name value pairs. Multi values AVAs can be formed by | 176 name to use as a set of name value pairs. Multi values AVAs can be formed by |
177 preceeding the name with a B<+> character. | 177 preceeding the name with a B<+> character. |
178 | 178 |
179 otherName can include arbitrary data associated with an OID: the value | 179 otherName can include arbitrary data associated with an OID: the value |
180 should be the OID followed by a semicolon and the content in standard | 180 should be the OID followed by a semicolon and the content in standard |
181 ASN1_generate_nconf() format. | 181 L<ASN1_generate_nconf(3)|ASN1_generate_nconf(3)> format. |
182 | 182 |
183 Examples: | 183 Examples: |
184 | 184 |
185 subjectAltName=email:copy,email:my@other.address,URI:http://my.url.here/ | 185 subjectAltName=email:copy,email:my@other.address,URI:http://my.url.here/ |
186 subjectAltName=IP:192.168.7.1 | 186 subjectAltName=IP:192.168.7.1 |
187 subjectAltName=IP:13::17 | 187 subjectAltName=IP:13::17 |
188 subjectAltName=email:my@other.address,RID:1.2.3.4 | 188 subjectAltName=email:my@other.address,RID:1.2.3.4 |
189 subjectAltName=otherName:1.2.3.4;UTF8:some other identifier | 189 subjectAltName=otherName:1.2.3.4;UTF8:some other identifier |
190 | 190 |
191 subjectAltName=dirName:dir_sect | 191 subjectAltName=dirName:dir_sect |
(...skipping 27 matching lines...) Expand all Loading... |
219 certain values are meaningful, for example OCSP and caIssuers. | 219 certain values are meaningful, for example OCSP and caIssuers. |
220 | 220 |
221 Example: | 221 Example: |
222 | 222 |
223 authorityInfoAccess = OCSP;URI:http://ocsp.my.host/ | 223 authorityInfoAccess = OCSP;URI:http://ocsp.my.host/ |
224 authorityInfoAccess = caIssuers;URI:http://my.ca/ca.html | 224 authorityInfoAccess = caIssuers;URI:http://my.ca/ca.html |
225 | 225 |
226 | 226 |
227 =head2 CRL distribution points. | 227 =head2 CRL distribution points. |
228 | 228 |
229 This is a multi-valued extension that supports all the literal options of | 229 This is a multi-valued extension whose options can be either in name:value pair |
230 subject alternative name. Of the few software packages that currently interpret | 230 using the same form as subject alternative name or a single value representing |
231 this extension most only interpret the URI option. | 231 a section name containing all the distribution point fields. |
232 | 232 |
233 Currently each option will set a new DistributionPoint with the fullName | 233 For a name:value pair a new DistributionPoint with the fullName field set to |
234 field set to the given value. | 234 the given value both the cRLissuer and reasons fields are omitted in this case. |
235 | 235 |
236 Other fields like cRLissuer and reasons cannot currently be set or displayed: | 236 In the single option case the section indicated contains values for each |
237 at this time no examples were available that used these fields. | 237 field. In this section: |
238 | 238 |
239 Examples: | 239 If the name is "fullname" the value field should contain the full name |
| 240 of the distribution point in the same format as subject alternative name. |
| 241 |
| 242 If the name is "relativename" then the value field should contain a section |
| 243 name whose contents represent a DN fragment to be placed in this field. |
| 244 |
| 245 The name "CRLIssuer" if present should contain a value for this field in |
| 246 subject alternative name format. |
| 247 |
| 248 If the name is "reasons" the value field should consist of a comma |
| 249 separated field containing the reasons. Valid reasons are: "keyCompromise", |
| 250 "CACompromise", "affiliationChanged", "superseded", "cessationOfOperation", |
| 251 "certificateHold", "privilegeWithdrawn" and "AACompromise". |
| 252 |
| 253 |
| 254 Simple examples: |
240 | 255 |
241 crlDistributionPoints=URI:http://myhost.com/myca.crl | 256 crlDistributionPoints=URI:http://myhost.com/myca.crl |
242 crlDistributionPoints=URI:http://my.com/my.crl,URI:http://oth.com/my.crl | 257 crlDistributionPoints=URI:http://my.com/my.crl,URI:http://oth.com/my.crl |
243 | 258 |
| 259 Full distribution point example: |
| 260 |
| 261 crlDistributionPoints=crldp1_section |
| 262 |
| 263 [crldp1_section] |
| 264 |
| 265 fullname=URI:http://myhost.com/myca.crl |
| 266 CRLissuer=dirName:issuer_sect |
| 267 reasons=keyCompromise, CACompromise |
| 268 |
| 269 [issuer_sect] |
| 270 C=UK |
| 271 O=Organisation |
| 272 CN=Some Name |
| 273 |
| 274 =head2 Issuing Distribution Point |
| 275 |
| 276 This extension should only appear in CRLs. It is a multi valued extension |
| 277 whose syntax is similar to the "section" pointed to by the CRL distribution |
| 278 points extension with a few differences. |
| 279 |
| 280 The names "reasons" and "CRLissuer" are not recognized. |
| 281 |
| 282 The name "onlysomereasons" is accepted which sets this field. The value is |
| 283 in the same format as the CRL distribution point "reasons" field. |
| 284 |
| 285 The names "onlyuser", "onlyCA", "onlyAA" and "indirectCRL" are also accepted |
| 286 the values should be a boolean value (TRUE or FALSE) to indicate the value of |
| 287 the corresponding field. |
| 288 |
| 289 Example: |
| 290 |
| 291 issuingDistributionPoint=critical, @idp_section |
| 292 |
| 293 [idp_section] |
| 294 |
| 295 fullname=URI:http://myhost.com/myca.crl |
| 296 indirectCRL=TRUE |
| 297 onlysomereasons=keyCompromise, CACompromise |
| 298 |
| 299 [issuer_sect] |
| 300 C=UK |
| 301 O=Organisation |
| 302 CN=Some Name |
| 303 |
| 304 |
244 =head2 Certificate Policies. | 305 =head2 Certificate Policies. |
245 | 306 |
246 This is a I<raw> extension. All the fields of this extension can be set by | 307 This is a I<raw> extension. All the fields of this extension can be set by |
247 using the appropriate syntax. | 308 using the appropriate syntax. |
248 | 309 |
249 If you follow the PKIX recommendations and just using one OID then you just | 310 If you follow the PKIX recommendations and just using one OID then you just |
250 include the value of that OID. Multiple OIDs can be set separated by commas, | 311 include the value of that OID. Multiple OIDs can be set separated by commas, |
251 for example: | 312 for example: |
252 | 313 |
253 certificatePolicies= 1.2.4.5, 1.1.3.4 | 314 certificatePolicies= 1.2.4.5, 1.1.3.4 |
(...skipping 68 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
322 is not supported and the B<IP> form should consist of an IP addresses and | 383 is not supported and the B<IP> form should consist of an IP addresses and |
323 subnet mask separated by a B</>. | 384 subnet mask separated by a B</>. |
324 | 385 |
325 Examples: | 386 Examples: |
326 | 387 |
327 nameConstraints=permitted;IP:192.168.0.0/255.255.0.0 | 388 nameConstraints=permitted;IP:192.168.0.0/255.255.0.0 |
328 | 389 |
329 nameConstraints=permitted;email:.somedomain.com | 390 nameConstraints=permitted;email:.somedomain.com |
330 | 391 |
331 nameConstraints=excluded;email:.com | 392 nameConstraints=excluded;email:.com |
| 393 issuingDistributionPoint = idp_section |
| 394 |
| 395 =head2 OCSP No Check |
| 396 |
| 397 The OCSP No Check extension is a string extension but its value is ignored. |
| 398 |
| 399 Example: |
| 400 |
| 401 noCheck = ignored |
| 402 |
332 | 403 |
333 =head1 DEPRECATED EXTENSIONS | 404 =head1 DEPRECATED EXTENSIONS |
334 | 405 |
335 The following extensions are non standard, Netscape specific and largely | 406 The following extensions are non standard, Netscape specific and largely |
336 obsolete. Their use in new applications is discouraged. | 407 obsolete. Their use in new applications is discouraged. |
337 | 408 |
338 =head2 Netscape String extensions. | 409 =head2 Netscape String extensions. |
339 | 410 |
340 Netscape Comment (B<nsComment>) is a string extension containing a comment | 411 Netscape Comment (B<nsComment>) is a string extension containing a comment |
341 which will be displayed when the certificate is viewed in some browsers. | 412 which will be displayed when the certificate is viewed in some browsers. |
(...skipping 21 matching lines...) Expand all Loading... |
363 =head1 ARBITRARY EXTENSIONS | 434 =head1 ARBITRARY EXTENSIONS |
364 | 435 |
365 If an extension is not supported by the OpenSSL code then it must be encoded | 436 If an extension is not supported by the OpenSSL code then it must be encoded |
366 using the arbitrary extension format. It is also possible to use the arbitrary | 437 using the arbitrary extension format. It is also possible to use the arbitrary |
367 format for supported extensions. Extreme care should be taken to ensure that | 438 format for supported extensions. Extreme care should be taken to ensure that |
368 the data is formatted correctly for the given extension type. | 439 the data is formatted correctly for the given extension type. |
369 | 440 |
370 There are two ways to encode arbitrary extensions. | 441 There are two ways to encode arbitrary extensions. |
371 | 442 |
372 The first way is to use the word ASN1 followed by the extension content | 443 The first way is to use the word ASN1 followed by the extension content |
373 using the same syntax as ASN1_generate_nconf(). For example: | 444 using the same syntax as L<ASN1_generate_nconf(3)|ASN1_generate_nconf(3)>. |
| 445 For example: |
374 | 446 |
375 1.2.3.4=critical,ASN1:UTF8String:Some random data | 447 1.2.3.4=critical,ASN1:UTF8String:Some random data |
376 | 448 |
377 1.2.3.4=ASN1:SEQUENCE:seq_sect | 449 1.2.3.4=ASN1:SEQUENCE:seq_sect |
378 | 450 |
379 [seq_sect] | 451 [seq_sect] |
380 | 452 |
381 field1 = UTF8:field1 | 453 field1 = UTF8:field1 |
382 field2 = UTF8:field2 | 454 field2 = UTF8:field2 |
383 | 455 |
(...skipping 59 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
443 The X509v3 extension code was first added to OpenSSL 0.9.2. | 515 The X509v3 extension code was first added to OpenSSL 0.9.2. |
444 | 516 |
445 Policy mappings, inhibit any policy and name constraints support was added in | 517 Policy mappings, inhibit any policy and name constraints support was added in |
446 OpenSSL 0.9.8 | 518 OpenSSL 0.9.8 |
447 | 519 |
448 The B<directoryName> and B<otherName> option as well as the B<ASN1> option | 520 The B<directoryName> and B<otherName> option as well as the B<ASN1> option |
449 for arbitrary extensions was added in OpenSSL 0.9.8 | 521 for arbitrary extensions was added in OpenSSL 0.9.8 |
450 | 522 |
451 =head1 SEE ALSO | 523 =head1 SEE ALSO |
452 | 524 |
453 L<req(1)|req(1)>, L<ca(1)|ca(1)>, L<x509(1)|x509(1)> | 525 L<req(1)|req(1)>, L<ca(1)|ca(1)>, L<x509(1)|x509(1)>, |
| 526 L<ASN1_generate_nconf(3)|ASN1_generate_nconf(3)> |
454 | 527 |
455 | 528 |
456 =cut | 529 =cut |
OLD | NEW |