diff options
| author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2021-01-06 14:44:03 +0100 |
|---|---|---|
| committer | Dr. David von Oheimb <dev@ddvo.net> | 2021-01-20 15:59:22 +0100 |
| commit | b9fbacaa7bdce2083186211b3cdf8511ad4cb91d (patch) | |
| tree | 2b570aa53ff7b2b24658c92f3f08748a9fff9e14 /CHANGES.md | |
| parent | 1d1d23128f2bfc24d98a973e48e4eb1555d24880 (diff) | |
apps/x509.c: Add -copy_extensions option, used when transforming x509 <-> req
Fixes #3638
Fixes #6481
Fixes #10458
Partly fixes #13708
Supersedes #9449
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13711)
Diffstat (limited to 'CHANGES.md')
| -rw-r--r-- | CHANGES.md | 24 |
1 files changed, 15 insertions, 9 deletions
diff --git a/CHANGES.md b/CHANGES.md index cd093491be..8ae1c7470a 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -929,19 +929,25 @@ OpenSSL 3.0 *Richard Levitte* - * Added the `<-copy_extensions` option to the `req` command for use with `-x509`. - When given with the `copy` or `copyall` argument, - any extensions present in the certification request are copied to the certificate. + * Added the `-copy_extensions` option to the `x509` command for use with + `-req` and `-x509toreq`. When given with the `copy` or `copyall` argument, + all extensions in the request are copied to the certificate or vice versa. + + *David von Oheimb*, *Kirill Stefanenkov <kirill_stefanenkov@rambler.ru>* + + * Added the `-copy_extensions` option to the `req` command for use with + `-x509`. When given with the `copy` or `copyall` argument, + all extensions in the certification request are copied to the certificate. *David von Oheimb* - * The `x509`, `req`, and `ca` commands now make sure that certificates they - generate are RFC 5280 compliant by default: For X.509 version 3 certs they ensure that - a subjectKeyIdentifier extension is included containing a hash value of the public key - and an authorityKeyIdentifier extension is included for not self-signed certs - containing a keyIdentifier field with the hash value identifying the signing key. + * The `x509`, `req`, and `ca` commands now make sure that X.509v3 certificates + they generate are by default RFC 5280 compliant in the following sense: + There is a subjectKeyIdentifier extension with a hash value of the public key + and for not self-signed certs there is an authorityKeyIdentifier extension + with a keyIdentifier field or issuer information identifying the signing key. This is done unless some configuration overrides the new default behavior, - e.g. `authorityKeyIdentifier = none`. + such as `subjectKeyIdentifier = none` and `authorityKeyIdentifier = none`. *David von Oheimb* |