diff options
author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-12-10 15:23:41 +0100 |
---|---|---|
committer | Dr. David von Oheimb <dev@ddvo.net> | 2021-01-13 11:53:15 +0100 |
commit | ec2bfb7d23b4790a5fbe3b5d73a3418966d7e8ad (patch) | |
tree | 6933e942381aa061e6a61b4e5a375098294c88fc /doc/man5 | |
parent | f2a0458731f15fd4d45f5574a221177f4591b1d8 (diff) |
apps/{req,x509,ca}.c Make sure certs have SKID and AKID X.509 extensions by default
Fixes #13603
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13658)
Diffstat (limited to 'doc/man5')
-rw-r--r-- | doc/man5/x509v3_config.pod | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/doc/man5/x509v3_config.pod b/doc/man5/x509v3_config.pod index cf08f78695..b2ee41b853 100644 --- a/doc/man5/x509v3_config.pod +++ b/doc/man5/x509v3_config.pod @@ -168,9 +168,10 @@ Examples: =head2 Subject Key Identifier -This SKID extension is a string with one of two legal values. -If it is the word B<hash>, then OpenSSL will follow -the process specified in RFC 5280 section 4.2.1.2. (1): +The SKID extension specification has a value with three choices. +If the value is the word B<none>, then no SKID extension will be included. +If the value is the word B<hash>, or by default for the B<x509>, B<req>, and +B<ca> apps, the process specified in RFC 5280 section 4.2.1.2. (1) is followed: The keyIdentifier is composed of the 160-bit SHA-1 hash of the value of the BIT STRING subjectPublicKey (excluding the tag, length, and number of unused bits). @@ -183,10 +184,14 @@ Example: =head2 Authority Key Identifier -The AKID extension specification may have the value B<keyid> or B<issuer> +The AKID extension specification may have the value B<none> +indicating that no AKID shall be included. +Otherwise it may have the value B<keyid> or B<issuer> or both of them, separated by C<,>. Either or both can have the option B<always>, -indicated by putting a colon C<:> between the value and this opton. +indicated by putting a colon C<:> between the value and this option. +By default the B<x509>, B<req>, and B<ca> apps behave as if +"none" was given for self-signed certificates and "keyid, issuer" otherwise. If B<keyid> is present, an attempt is made to copy the subject key identifier (SKID) from the issuer certificate, which is the default behavior. |