diff options
author | Richard Levitte <levitte@openssl.org> | 2020-11-14 22:38:37 +0100 |
---|---|---|
committer | Richard Levitte <levitte@openssl.org> | 2020-11-16 10:03:04 +0100 |
commit | ccbf3f90c46cee9b2ca38f9a6c797c838738d8af (patch) | |
tree | fe54199dc985a5de3c246ac829468072cbb8e0df /doc | |
parent | 4605c5ab4796e99a207ab54d31bb8d2b5e42f1ca (diff) |
DOC: Fixup the description of the -x509_strict option
POD commands must always be surrounded by blank lines
POD transformers read everything in paragraph mode. The following
lines become *one* command, where the second line becomes part of the
text of the first, including the command itself. In other words,
this:
=item something
=item something else
Translates to this in a man-page:
something =item something else
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/13412)
Diffstat (limited to 'doc')
-rw-r--r-- | doc/man1/openssl.pod | 64 |
1 files changed, 48 insertions, 16 deletions
diff --git a/doc/man1/openssl.pod b/doc/man1/openssl.pod index 4789be46ef..bd3a9db226 100644 --- a/doc/man1/openssl.pod +++ b/doc/man1/openssl.pod @@ -887,22 +887,54 @@ Thus errors are thrown on certificates not compliant with RFC 5280. When this option is set, among others, the following certificate well-formedness conditions are checked: -=over 8 - -=item The basicConstraints of CA certificates must be marked critical. -=item CA certificates must explicitly include the keyUsage extension. -=item If a pathlenConstraint is given the key usage keyCertSign must be allowed. -=item The pathlenConstraint must not be given for non-CA certificates. -=item The issuer name of any certificate must not be empty. -=item The subject name of CA certs, certs with keyUsage crlSign, - and certs without subjectAlternativeName must not be empty. -=item If a subjectAlternativeName extension is given it must not be empty. -=item The signatureAlgorithm field and the cert signature must be consistent. -=item Any given authorityKeyIdentifier and any given subjectKeyIdentifier - must not be marked critical. -=item The authorityKeyIdentifier must be given for X.509v3 certs - unless they are self-signed. -=item The subjectKeyIdentifier must be given for all X.509v3 CA certs. +=over 4 + +=item - + +The basicConstraints of CA certificates must be marked critical. + +=item - + +CA certificates must explicitly include the keyUsage extension. + +=item - + +If a pathlenConstraint is given the key usage keyCertSign must be allowed. + +=item - + +The pathlenConstraint must not be given for non-CA certificates. + +=item - + +The issuer name of any certificate must not be empty. + +=item - + +The subject name of CA certs, certs with keyUsage crlSign, and certs +without subjectAlternativeName must not be empty. + +=item - + +If a subjectAlternativeName extension is given it must not be empty. + +=item - + +The signatureAlgorithm field and the cert signature must be consistent. + +=item - + +Any given authorityKeyIdentifier and any given subjectKeyIdentifier +must not be marked critical. + +=item - + +The authorityKeyIdentifier must be given for X.509v3 certs unless they +are self-signed. + +=item - + +The subjectKeyIdentifier must be given for all X.509v3 CA certs. =back |