QuasarApp/openssl
4
0
Fork 0
mirror of https://github.com/QuasarApp/openssl.git synced 2025-04-30 03:34:39 +00:00
Code Issues Projects Releases Wiki Activity

Update manpage to fix examples, other minor tweaks

Browse Source 
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11347)
This commit is contained in:
Rich Salz 2020-04-27 12:57:01 -04:00 committed by Tomas Mraz
parent 4e6e57cfcd
commit 2b584ff372
4 changed files with 19 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
doc/man7/proxy-certificates.pod
View File

@ -57,13 +57,11 @@ See L</NOTES> for a discussion on this requirement.
Creating proxy certificates can be done using the L<openssl-x509(1)>
command, with some extra extensions:
[ v3_proxy ]
[ proxy ]
# A proxy certificate MUST NEVER be a CA certificate.
basicConstraints = CA:FALSE
# Usual authority key ID
authorityKeyIdentifier = keyid,issuer:always
# The extension which marks this certificate as a proxy
proxyCertInfo = critical,language:id-ppl-anyLanguage,pathlen:1,policy:text:AB
@ -99,12 +97,12 @@ colons between each byte (every second hex digit):
indicates that the text of the policy should be taken from a file.
The string is then a filename. This is useful for policies that are
large (more than a few lines, e.g. XML documents).
more than a few lines, such as XML or other markup.
=back
I<NOTE: The proxy policy value is what determines the rights granted
to the process during the proxy certificate. It's up to the
Note that the proxy policy value is what determines the rights granted
to the process during the proxy certificate, and it is up to the
application to interpret and combine these policies.>
With a proxy extension, creating a proxy certificate is a matter of
@ -112,19 +110,19 @@ two commands:
openssl req -new -config proxy.cnf \
-out proxy.req -keyout proxy.key \
-subj "/DC=org/DC=openssl/DC=users/CN=proxy 1"
-subj "/DC=org/DC=openssl/DC=users/CN=proxy"
openssl x509 -req -CAcreateserial -in proxy.req -out proxy.crt \
-CA user.crt -CAkey user.key -days 7 \
-extfile proxy.cnf -extensions proxy
You can also create a proxy certificate using another proxy
certificate as issuer (note: using a different configuration
section for the proxy extensions):
certificate as issuer. Note that this example uses a different
configuration section for the proxy extensions:
openssl req -new -config proxy.cnf \
-out proxy2.req -keyout proxy2.key \
-subj "/DC=org/DC=openssl/DC=users/CN=proxy 1/CN=proxy 2"
-subj "/DC=org/DC=openssl/DC=users/CN=proxy/CN=proxy 2"
openssl x509 -req -CAcreateserial -in proxy2.req -out proxy2.crt \
-CA proxy.crt -CAkey proxy.key -days 7 \