diff options
author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2021-02-16 11:17:07 +0100 |
---|---|---|
committer | Dr. David von Oheimb <dev@ddvo.net> | 2021-06-26 15:38:40 +0200 |
commit | 4acda8635ed55ddf831d1bb3dc6086054f01cc61 (patch) | |
tree | f366f096ef49946d775a738463cc7d89f12858e0 /doc/man5 | |
parent | 426005eea5afd64bb76006f0fda69502ab3e008d (diff) |
DOC: Clarify the role of EKUs including defaults for TLS client and server use
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14199)
Diffstat (limited to 'doc/man5')
-rw-r--r-- | doc/man5/x509v3_config.pod | 18 |
1 files changed, 11 insertions, 7 deletions
diff --git a/doc/man5/x509v3_config.pod b/doc/man5/x509v3_config.pod index f8bc6d0ff1..fb7c3aaff7 100644 --- a/doc/man5/x509v3_config.pod +++ b/doc/man5/x509v3_config.pod @@ -142,15 +142,15 @@ Examples: =head2 Extended Key Usage This extension consists of a list of values indicating purposes for which -the certificate public key can be used for, Each value can be either a -short text name or an OID. +the certificate public key can be used. +Each value can be either a short text name or an OID. The following text names, and their intended meaning, are known: - Value Meaning - ----- ------- - serverAuth SSL/TLS Web Server Authentication - clientAuth SSL/TLS Web Client Authentication - codeSigning Code signing + Value Meaning according to RFC 5280 etc. + ----- ---------------------------------- + serverAuth SSL/TLS WWW Server Authentication + clientAuth SSL/TLS WWW Client Authentication + codeSigning Code Signing emailProtection E-mail Protection (S/MIME) timeStamping Trusted Timestamping OCSPSigning OCSP Signing @@ -160,6 +160,10 @@ The following text names, and their intended meaning, are known: msCTLSign Microsoft Trust List Signing msEFS Microsoft Encrypted File System +While IETF RFC 5280 says that B<id-kp-serverAuth> and B<id-kp-clientAuth> +are only for WWW use, in practice they are used for all kinds of TLS clients +and servers, and this is what OpenSSL assumes as well. + Examples: extendedKeyUsage = critical, codeSigning, 1.2.3.4 |