diff options
author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2022-05-31 10:02:02 +0200 |
---|---|---|
committer | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2022-07-14 15:02:57 +0200 |
commit | ff238172e26aa0a3f795cbfd60b9615e3e00a216 (patch) | |
tree | 0e39b92f7137340fa4ac0d5dbbcfc855551d9fb2 | |
parent | 55eafed6fbefbc1e725bf7b17b2bbca083a457fc (diff) |
x509.pod: fix description of certificate serial number storage
Backported from https://github.com/openssl/openssl/pull/18373
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18803)
-rw-r--r-- | doc/man1/x509.pod | 20 |
1 files changed, 11 insertions, 9 deletions
diff --git a/doc/man1/x509.pod b/doc/man1/x509.pod index 67d131389a..8b812a5d09 100644 --- a/doc/man1/x509.pod +++ b/doc/man1/x509.pod @@ -434,24 +434,26 @@ the CA certificate file. Sets the CA serial number file to use. -When the B<-CA> option is used to sign a certificate it uses a serial -number specified in a file. This file consists of one line containing -an even number of hex digits with the serial number to use. After each -use the serial number is incremented and written out to the file again. +When creating a certificate with this option, and with the B<-CA> option, +the certificate serial number is stored in the given file. +This file consists of one line containing +an even number of hex digits with the serial number used last time. +After reading this number, it is incremented and used, and the file is updated. The default filename consists of the CA certificate file base name with ".srl" appended. For example if the CA certificate file is called "mycacert.pem" it expects to find a serial number file called "mycacert.srl". -If the B<-CA> option is specified and both the <-CAserial> and <-CAcreateserial> -options are not given and the default serial number file does not exist, +If the B<-CA> option is specified and neither <-CAserial> or <-CAcreateserial> +is given and the default serial number file does not exist, a random number is generated; this is the recommended practice. =item B<-CAcreateserial> -With this option the CA serial number file is created if it does not exist. -A random number is generated, used for the certificate, and saved into the -serial number file in that case. +With this option and the B<-CA> option +the CA serial number file is created if it does not exist. +A random number is generated, used for the certificate, +and saved into the serial number file determined as described above. =item B<-extfile filename> |