diff options
| author | Rich Salz <rsalz@akamai.com> | 2020-04-27 12:57:01 -0400 |
|---|---|---|
| committer | Tomas Mraz <tmraz@fedoraproject.org> | 2020-06-03 09:57:02 +0200 |
| commit | 2b584ff372b2b25bb6801172bbeb90074b26f88c (patch) | |
| tree | 20122111e48f09629139171db24e532484b981e8 | |
| parent | 4e6e57cfcdd75b827ff7171927d87e95b5b86ae8 (diff) | |
Update manpage to fix examples, other minor tweaks
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11347)
| -rw-r--r-- | doc/man7/proxy-certificates.pod | 32 | ||||
| -rw-r--r-- | test/recipes/25-test_verify_store.t | 2 | ||||
| -rw-r--r-- | test/recipes/80-test_ssl_old.t | 4 | ||||
| -rw-r--r-- | test/recipes/90-test_store.t | 2 |
4 files changed, 19 insertions, 21 deletions
diff --git a/doc/man7/proxy-certificates.pod b/doc/man7/proxy-certificates.pod index ca1f491ac5..eab28b5658 100644 --- a/doc/man7/proxy-certificates.pod +++ b/doc/man7/proxy-certificates.pod @@ -57,24 +57,22 @@ See L</NOTES> for a discussion on this requirement. Creating proxy certificates can be done using the L<openssl-x509(1)> command, with some extra extensions: - [ v3_proxy ] + [ proxy ] # A proxy certificate MUST NEVER be a CA certificate. - basicConstraints=CA:FALSE - + basicConstraints = CA:FALSE # Usual authority key ID - authorityKeyIdentifier=keyid,issuer:always - + authorityKeyIdentifier = keyid,issuer:always # The extension which marks this certificate as a proxy - proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:1,policy:text:AB + proxyCertInfo = critical,language:id-ppl-anyLanguage,pathlen:1,policy:text:AB It's also possible to specify the proxy extension in a separate section: - proxyCertInfo=critical,@proxy_ext + proxyCertInfo = critical,@proxy_ext [ proxy_ext ] - language=id-ppl-anyLanguage - pathlen=0 - policy=text:BC + language = id-ppl-anyLanguage + pathlen = 0 + policy = text:BC The policy value has a specific syntax, I<syntag>:I<string>, where the I<syntag> determines what will be done with the string. The following @@ -99,12 +97,12 @@ colons between each byte (every second hex digit): indicates that the text of the policy should be taken from a file. The string is then a filename. This is useful for policies that are -large (more than a few lines, e.g. XML documents). +more than a few lines, such as XML or other markup. =back -I<NOTE: The proxy policy value is what determines the rights granted -to the process during the proxy certificate. It's up to the +Note that the proxy policy value is what determines the rights granted +to the process during the proxy certificate, and it is up to the application to interpret and combine these policies.> With a proxy extension, creating a proxy certificate is a matter of @@ -112,19 +110,19 @@ two commands: openssl req -new -config proxy.cnf \ -out proxy.req -keyout proxy.key \ - -subj "/DC=org/DC=openssl/DC=users/CN=proxy 1" + -subj "/DC=org/DC=openssl/DC=users/CN=proxy" openssl x509 -req -CAcreateserial -in proxy.req -out proxy.crt \ -CA user.crt -CAkey user.key -days 7 \ -extfile proxy.cnf -extensions proxy You can also create a proxy certificate using another proxy -certificate as issuer (note: using a different configuration -section for the proxy extensions): +certificate as issuer. Note that this example uses a different +configuration section for the proxy extensions: openssl req -new -config proxy.cnf \ -out proxy2.req -keyout proxy2.key \ - -subj "/DC=org/DC=openssl/DC=users/CN=proxy 1/CN=proxy 2" + -subj "/DC=org/DC=openssl/DC=users/CN=proxy/CN=proxy 2" openssl x509 -req -CAcreateserial -in proxy2.req -out proxy2.crt \ -CA proxy.crt -CAkey proxy.key -days 7 \ diff --git a/test/recipes/25-test_verify_store.t b/test/recipes/25-test_verify_store.t index 9246f33868..2afb8cb56f 100644 --- a/test/recipes/25-test_verify_store.t +++ b/test/recipes/25-test_verify_store.t @@ -18,7 +18,7 @@ plan tests => 10; my $dummycnf = srctop_file("apps", "openssl.cnf"); -my $cnf=srctop_file("test","ca-and-certs.cnf"); +my $cnf = srctop_file("test", "ca-and-certs.cnf"); my $CAkey = "keyCA.ss"; my $CAcert="certCA.ss"; my $CAserial="certCA.srl"; diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t index b49d895c32..85f71614c4 100644 --- a/test/recipes/80-test_ssl_old.t +++ b/test/recipes/80-test_ssl_old.t @@ -44,7 +44,7 @@ my @verifycmd = ("openssl", "verify"); my @genpkeycmd = ("openssl", "genpkey"); my $dummycnf = srctop_file("apps", "openssl.cnf"); -my $cnf=srctop_file("test","ca-and-certs.cnf"); +my $cnf = srctop_file("test", "ca-and-certs.cnf"); my $CAkey = "keyCA.ss"; my $CAcert="certCA.ss"; my $CAserial="certCA.srl"; @@ -60,7 +60,7 @@ my $Ekey="keyE.ss"; my $Ereq="reqE.ss"; my $Ecert="certE.ss"; -my $proxycnf=srctop_file("test","proxy.cnf"); +my $proxycnf=srctop_file("test", "proxy.cnf"); my $P1key="keyP1.ss"; my $P1req="reqP1.ss"; my $P1cert="certP1.ss"; diff --git a/test/recipes/90-test_store.t b/test/recipes/90-test_store.t index 09d9604e9d..337bbb10c9 100644 --- a/test/recipes/90-test_store.t +++ b/test/recipes/90-test_store.t @@ -16,7 +16,7 @@ my $test_name = "test_store"; setup($test_name); my $mingw = config('target') =~ m|^mingw|; -my $cnf=srctop_file("test","ca-and-certs.cnf"); +my $cnf = srctop_file("test", "ca-and-certs.cnf"); my @noexist_files = ( "test/blahdiblah.pem", |