From 4acda8635ed55ddf831d1bb3dc6086054f01cc61 Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Tue, 16 Feb 2021 11:17:07 +0100 Subject: DOC: Clarify the role of EKUs including defaults for TLS client and server use Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14199) --- doc/man5/x509v3_config.pod | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) (limited to 'doc/man5') diff --git a/doc/man5/x509v3_config.pod b/doc/man5/x509v3_config.pod index f8bc6d0ff1..fb7c3aaff7 100644 --- a/doc/man5/x509v3_config.pod +++ b/doc/man5/x509v3_config.pod @@ -142,15 +142,15 @@ Examples: =head2 Extended Key Usage This extension consists of a list of values indicating purposes for which -the certificate public key can be used for, Each value can be either a -short text name or an OID. +the certificate public key can be used. +Each value can be either a short text name or an OID. The following text names, and their intended meaning, are known: - Value Meaning - ----- ------- - serverAuth SSL/TLS Web Server Authentication - clientAuth SSL/TLS Web Client Authentication - codeSigning Code signing + Value Meaning according to RFC 5280 etc. + ----- ---------------------------------- + serverAuth SSL/TLS WWW Server Authentication + clientAuth SSL/TLS WWW Client Authentication + codeSigning Code Signing emailProtection E-mail Protection (S/MIME) timeStamping Trusted Timestamping OCSPSigning OCSP Signing @@ -160,6 +160,10 @@ The following text names, and their intended meaning, are known: msCTLSign Microsoft Trust List Signing msEFS Microsoft Encrypted File System +While IETF RFC 5280 says that B and B +are only for WWW use, in practice they are used for all kinds of TLS clients +and servers, and this is what OpenSSL assumes as well. + Examples: extendedKeyUsage = critical, codeSigning, 1.2.3.4 -- cgit v1.2.3