diff options
author | Rich Salz <rsalz@akamai.com> | 2020-04-27 12:57:01 -0400 |
---|---|---|
committer | Tomas Mraz <tmraz@fedoraproject.org> | 2020-06-03 09:57:02 +0200 |
commit | 2b584ff372b2b25bb6801172bbeb90074b26f88c (patch) | |
tree | 20122111e48f09629139171db24e532484b981e8 /doc | |
parent | 4e6e57cfcdd75b827ff7171927d87e95b5b86ae8 (diff) |
Update manpage to fix examples, other minor tweaks
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11347)
Diffstat (limited to 'doc')
-rw-r--r-- | doc/man7/proxy-certificates.pod | 32 |
1 files changed, 15 insertions, 17 deletions
diff --git a/doc/man7/proxy-certificates.pod b/doc/man7/proxy-certificates.pod index ca1f491ac5..eab28b5658 100644 --- a/doc/man7/proxy-certificates.pod +++ b/doc/man7/proxy-certificates.pod @@ -57,24 +57,22 @@ See L</NOTES> for a discussion on this requirement. Creating proxy certificates can be done using the L<openssl-x509(1)> command, with some extra extensions: - [ v3_proxy ] + [ proxy ] # A proxy certificate MUST NEVER be a CA certificate. - basicConstraints=CA:FALSE - + basicConstraints = CA:FALSE # Usual authority key ID - authorityKeyIdentifier=keyid,issuer:always - + authorityKeyIdentifier = keyid,issuer:always # The extension which marks this certificate as a proxy - proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:1,policy:text:AB + proxyCertInfo = critical,language:id-ppl-anyLanguage,pathlen:1,policy:text:AB It's also possible to specify the proxy extension in a separate section: - proxyCertInfo=critical,@proxy_ext + proxyCertInfo = critical,@proxy_ext [ proxy_ext ] - language=id-ppl-anyLanguage - pathlen=0 - policy=text:BC + language = id-ppl-anyLanguage + pathlen = 0 + policy = text:BC The policy value has a specific syntax, I<syntag>:I<string>, where the I<syntag> determines what will be done with the string. The following @@ -99,12 +97,12 @@ colons between each byte (every second hex digit): indicates that the text of the policy should be taken from a file. The string is then a filename. This is useful for policies that are -large (more than a few lines, e.g. XML documents). +more than a few lines, such as XML or other markup. =back -I<NOTE: The proxy policy value is what determines the rights granted -to the process during the proxy certificate. It's up to the +Note that the proxy policy value is what determines the rights granted +to the process during the proxy certificate, and it is up to the application to interpret and combine these policies.> With a proxy extension, creating a proxy certificate is a matter of @@ -112,19 +110,19 @@ two commands: openssl req -new -config proxy.cnf \ -out proxy.req -keyout proxy.key \ - -subj "/DC=org/DC=openssl/DC=users/CN=proxy 1" + -subj "/DC=org/DC=openssl/DC=users/CN=proxy" openssl x509 -req -CAcreateserial -in proxy.req -out proxy.crt \ -CA user.crt -CAkey user.key -days 7 \ -extfile proxy.cnf -extensions proxy You can also create a proxy certificate using another proxy -certificate as issuer (note: using a different configuration -section for the proxy extensions): +certificate as issuer. Note that this example uses a different +configuration section for the proxy extensions: openssl req -new -config proxy.cnf \ -out proxy2.req -keyout proxy2.key \ - -subj "/DC=org/DC=openssl/DC=users/CN=proxy 1/CN=proxy 2" + -subj "/DC=org/DC=openssl/DC=users/CN=proxy/CN=proxy 2" openssl x509 -req -CAcreateserial -in proxy2.req -out proxy2.crt \ -CA proxy.crt -CAkey proxy.key -days 7 \ |