diff options
Diffstat (limited to 'doc/man7/proxy-certificates.pod')
-rw-r--r-- | doc/man7/proxy-certificates.pod | 32 |
1 files changed, 15 insertions, 17 deletions
diff --git a/doc/man7/proxy-certificates.pod b/doc/man7/proxy-certificates.pod index ca1f491ac5..eab28b5658 100644 --- a/doc/man7/proxy-certificates.pod +++ b/doc/man7/proxy-certificates.pod @@ -57,24 +57,22 @@ See L</NOTES> for a discussion on this requirement. Creating proxy certificates can be done using the L<openssl-x509(1)> command, with some extra extensions: - [ v3_proxy ] + [ proxy ] # A proxy certificate MUST NEVER be a CA certificate. - basicConstraints=CA:FALSE - + basicConstraints = CA:FALSE # Usual authority key ID - authorityKeyIdentifier=keyid,issuer:always - + authorityKeyIdentifier = keyid,issuer:always # The extension which marks this certificate as a proxy - proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:1,policy:text:AB + proxyCertInfo = critical,language:id-ppl-anyLanguage,pathlen:1,policy:text:AB It's also possible to specify the proxy extension in a separate section: - proxyCertInfo=critical,@proxy_ext + proxyCertInfo = critical,@proxy_ext [ proxy_ext ] - language=id-ppl-anyLanguage - pathlen=0 - policy=text:BC + language = id-ppl-anyLanguage + pathlen = 0 + policy = text:BC The policy value has a specific syntax, I<syntag>:I<string>, where the I<syntag> determines what will be done with the string. The following @@ -99,12 +97,12 @@ colons between each byte (every second hex digit): indicates that the text of the policy should be taken from a file. The string is then a filename. This is useful for policies that are -large (more than a few lines, e.g. XML documents). +more than a few lines, such as XML or other markup. =back -I<NOTE: The proxy policy value is what determines the rights granted -to the process during the proxy certificate. It's up to the +Note that the proxy policy value is what determines the rights granted +to the process during the proxy certificate, and it is up to the application to interpret and combine these policies.> With a proxy extension, creating a proxy certificate is a matter of @@ -112,19 +110,19 @@ two commands: openssl req -new -config proxy.cnf \ -out proxy.req -keyout proxy.key \ - -subj "/DC=org/DC=openssl/DC=users/CN=proxy 1" + -subj "/DC=org/DC=openssl/DC=users/CN=proxy" openssl x509 -req -CAcreateserial -in proxy.req -out proxy.crt \ -CA user.crt -CAkey user.key -days 7 \ -extfile proxy.cnf -extensions proxy You can also create a proxy certificate using another proxy -certificate as issuer (note: using a different configuration -section for the proxy extensions): +certificate as issuer. Note that this example uses a different +configuration section for the proxy extensions: openssl req -new -config proxy.cnf \ -out proxy2.req -keyout proxy2.key \ - -subj "/DC=org/DC=openssl/DC=users/CN=proxy 1/CN=proxy 2" + -subj "/DC=org/DC=openssl/DC=users/CN=proxy/CN=proxy 2" openssl x509 -req -CAcreateserial -in proxy2.req -out proxy2.crt \ -CA proxy.crt -CAkey proxy.key -days 7 \ |