QuasarApp/openssl
4
0
Fork 0
mirror of https://github.com/QuasarApp/openssl.git synced 2025-04-30 11:44:37 +00:00
Code Issues Projects Releases Wiki Activity

Update manpage to fix examples, other minor tweaks

Browse Source 
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11347)
This commit is contained in:
Rich Salz 2020-04-27 12:57:01 -04:00 committed by Tomas Mraz
parent 4e6e57cfcd
commit 2b584ff372
4 changed files with 19 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
doc/man7/proxy-certificates.pod
View File

@ -57,13 +57,11 @@ See L</NOTES> for a discussion on this requirement.
Creating proxy certificates can be done using the L<openssl-x509(1)> Creating proxy certificates can be done using the L<openssl-x509(1)>
command, with some extra extensions: command, with some extra extensions:
[ v3_proxy ] [ proxy ]
# A proxy certificate MUST NEVER be a CA certificate. # A proxy certificate MUST NEVER be a CA certificate.
basicConstraints = CA:FALSE basicConstraints = CA:FALSE
# Usual authority key ID # Usual authority key ID
authorityKeyIdentifier = keyid,issuer:always authorityKeyIdentifier = keyid,issuer:always
# The extension which marks this certificate as a proxy # The extension which marks this certificate as a proxy
proxyCertInfo = critical,language:id-ppl-anyLanguage,pathlen:1,policy:text:AB proxyCertInfo = critical,language:id-ppl-anyLanguage,pathlen:1,policy:text:AB
@ -99,12 +97,12 @@ colons between each byte (every second hex digit):
indicates that the text of the policy should be taken from a file. indicates that the text of the policy should be taken from a file.
The string is then a filename. This is useful for policies that are The string is then a filename. This is useful for policies that are
large (more than a few lines, e.g. XML documents). more than a few lines, such as XML or other markup.
=back =back
I<NOTE: The proxy policy value is what determines the rights granted Note that the proxy policy value is what determines the rights granted
to the process during the proxy certificate. It's up to the to the process during the proxy certificate, and it is up to the
application to interpret and combine these policies.> application to interpret and combine these policies.>
With a proxy extension, creating a proxy certificate is a matter of With a proxy extension, creating a proxy certificate is a matter of
@ -112,19 +110,19 @@ two commands:
openssl req -new -config proxy.cnf \ openssl req -new -config proxy.cnf \
-out proxy.req -keyout proxy.key \ -out proxy.req -keyout proxy.key \
-subj "/DC=org/DC=openssl/DC=users/CN=proxy 1" -subj "/DC=org/DC=openssl/DC=users/CN=proxy"
openssl x509 -req -CAcreateserial -in proxy.req -out proxy.crt \ openssl x509 -req -CAcreateserial -in proxy.req -out proxy.crt \
-CA user.crt -CAkey user.key -days 7 \ -CA user.crt -CAkey user.key -days 7 \
-extfile proxy.cnf -extensions proxy -extfile proxy.cnf -extensions proxy
You can also create a proxy certificate using another proxy You can also create a proxy certificate using another proxy
certificate as issuer (note: using a different configuration certificate as issuer. Note that this example uses a different
section for the proxy extensions): configuration section for the proxy extensions:
openssl req -new -config proxy.cnf \ openssl req -new -config proxy.cnf \
-out proxy2.req -keyout proxy2.key \ -out proxy2.req -keyout proxy2.key \
-subj "/DC=org/DC=openssl/DC=users/CN=proxy 1/CN=proxy 2" -subj "/DC=org/DC=openssl/DC=users/CN=proxy/CN=proxy 2"
openssl x509 -req -CAcreateserial -in proxy2.req -out proxy2.crt \ openssl x509 -req -CAcreateserial -in proxy2.req -out proxy2.crt \
-CA proxy.crt -CAkey proxy.key -days 7 \ -CA proxy.crt -CAkey proxy.key -days 7 \