diff options
author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-12-07 19:37:46 +0100 |
---|---|---|
committer | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-12-10 15:19:55 +0100 |
commit | 1a683b80dc9ad4dcbf206a0617364a9d614a9883 (patch) | |
tree | 489d4cc0bfbb0664cd692e95ab0c175aa8b3ebd3 /doc/man5/x509v3_config.pod | |
parent | 98ba251fe6f49fc2ee310f6e559c3431922fa16d (diff) |
apps/{ca,req,x509}.c: Improve diag and doc mostly on X.509 extensions, fix multiple instances
This includes a general correction in the code (now using the X509V3_CTX_REPLACE flag)
and adding a prominent clarification in the documentation:
If multiple entries are processed for the same extension name,
later entries override earlier ones with the same name.
This is due to an RFC 5280 requirement - the intro of its section 4.2 says:
A certificate MUST NOT include more than one instance of a particular extension.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13614)
Diffstat (limited to 'doc/man5/x509v3_config.pod')
-rw-r--r-- | doc/man5/x509v3_config.pod | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/doc/man5/x509v3_config.pod b/doc/man5/x509v3_config.pod index a20065a8d9..cf08f78695 100644 --- a/doc/man5/x509v3_config.pod +++ b/doc/man5/x509v3_config.pod @@ -7,8 +7,9 @@ x509v3_config - X509 V3 certificate extension configuration format =head1 DESCRIPTION Several OpenSSL commands can add extensions to a certificate or -certificate request based on the contents of a configuration file. -The syntax of this file is described in L<config(5)>. +certificate request based on the contents of a configuration file +and CLI options such as B<-addext>. +The syntax of configuration files is described in L<config(5)>. The commands typically have an option to specify the name of the configuration file, and a section within that file; see the documentation of the individual command for details. @@ -22,6 +23,9 @@ Each entry in the extension section takes the form: If B<critical> is present then the extension will be marked as critical. +If multiple entries are processed for the same extension name, +later entries override earlier ones with the same name. + The format of B<values> depends on the value of B<name>, many have a type-value pairing where the type and value are separated by a colon. There are four main types of extension: |