diff options
Diffstat (limited to 'secure/lib/libcrypto/man/man7/proxy-certificates.7')
-rw-r--r-- | secure/lib/libcrypto/man/man7/proxy-certificates.7 | 54 |
1 files changed, 25 insertions, 29 deletions
diff --git a/secure/lib/libcrypto/man/man7/proxy-certificates.7 b/secure/lib/libcrypto/man/man7/proxy-certificates.7 index 25edc2b74c6e..7eae21849f5b 100644 --- a/secure/lib/libcrypto/man/man7/proxy-certificates.7 +++ b/secure/lib/libcrypto/man/man7/proxy-certificates.7 @@ -1,4 +1,4 @@ -.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40) +.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42) .\" .\" Standard preamble: .\" ======================================================================== @@ -68,8 +68,6 @@ . \} .\} .rr rF -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ @@ -132,8 +130,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "PROXY-CERTIFICATES 7" -.TH PROXY-CERTIFICATES 7 "2022-06-21" "1.1.1p" "OpenSSL" +.IX Title "PROXY-CERTIFICATES 7ossl" +.TH PROXY-CERTIFICATES 7ossl "2023-09-19" "3.0.11" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -181,27 +179,25 @@ See \*(L"\s-1NOTES\*(R"\s0 for a discussion on this requirement. Creating proxy certificates can be done using the \fBopenssl\-x509\fR\|(1) command, with some extra extensions: .PP -.Vb 3 -\& [ v3_proxy ] +.Vb 7 +\& [ proxy ] \& # A proxy certificate MUST NEVER be a CA certificate. -\& basicConstraints=CA:FALSE -\& +\& basicConstraints = CA:FALSE \& # Usual authority key ID -\& authorityKeyIdentifier=keyid,issuer:always -\& +\& authorityKeyIdentifier = keyid,issuer:always \& # The extension which marks this certificate as a proxy -\& proxyCertInfo=critical,language:id\-ppl\-anyLanguage,pathlen:1,policy:text:AB +\& proxyCertInfo = critical,language:id\-ppl\-anyLanguage,pathlen:1,policy:text:AB .Ve .PP It's also possible to specify the proxy extension in a separate section: .PP .Vb 1 -\& proxyCertInfo=critical,@proxy_ext +\& proxyCertInfo = critical,@proxy_ext \& \& [ proxy_ext ] -\& language=id\-ppl\-anyLanguage -\& pathlen=0 -\& policy=text:BC +\& language = id\-ppl\-anyLanguage +\& pathlen = 0 +\& policy = text:BC .Ve .PP The policy value has a specific syntax, \fIsyntag\fR:\fIstring\fR, where the @@ -226,11 +222,11 @@ colons between each byte (every second hex digit): .IX Item "file" indicates that the text of the policy should be taken from a file. The string is then a filename. This is useful for policies that are -large (more than a few lines, e.g. \s-1XML\s0 documents). +more than a few lines, such as \s-1XML\s0 or other markup. .PP -\&\fI\s-1NOTE:\s0 The proxy policy value is what determines the rights granted -to the process during the proxy certificate. It's up to the -application to interpret and combine these policies.\fR +Note that the proxy policy value is what determines the rights granted +to the process during the proxy certificate, and it is up to the +application to interpret and combine these policies.> .PP With a proxy extension, creating a proxy certificate is a matter of two commands: @@ -238,25 +234,25 @@ two commands: .Vb 3 \& openssl req \-new \-config proxy.cnf \e \& \-out proxy.req \-keyout proxy.key \e -\& \-subj "/DC=org/DC=openssl/DC=users/CN=proxy 1" +\& \-subj "/DC=org/DC=openssl/DC=users/CN=proxy" \& \& openssl x509 \-req \-CAcreateserial \-in proxy.req \-out proxy.crt \e \& \-CA user.crt \-CAkey user.key \-days 7 \e -\& \-extfile proxy.cnf \-extensions v3_proxy1 +\& \-extfile proxy.cnf \-extensions proxy .Ve .PP You can also create a proxy certificate using another proxy -certificate as issuer (note: using a different configuration -section for the proxy extensions): +certificate as issuer. Note that this example uses a different +configuration section for the proxy extensions: .PP .Vb 3 \& openssl req \-new \-config proxy.cnf \e \& \-out proxy2.req \-keyout proxy2.key \e -\& \-subj "/DC=org/DC=openssl/DC=users/CN=proxy 1/CN=proxy 2" +\& \-subj "/DC=org/DC=openssl/DC=users/CN=proxy/CN=proxy 2" \& \& openssl x509 \-req \-CAcreateserial \-in proxy2.req \-out proxy2.crt \e \& \-CA proxy.crt \-CAkey proxy.key \-days 7 \e -\& \-extfile proxy.cnf \-extensions v3_proxy2 +\& \-extfile proxy.cnf \-extensions proxy_2 .Ve .SS "Using proxy certs in applications" .IX Subsection "Using proxy certs in applications" @@ -334,7 +330,7 @@ The following skeleton code can be used as a starting point: \& * bottom. You get the CA root first, followed by the \& * possible chain of intermediate CAs, followed by the EE \& * certificate, followed by the possible proxy -\& * certificates. +\& * certificates. \& */ \& X509 *xs = X509_STORE_CTX_get_current_cert(ctx); \& @@ -353,7 +349,7 @@ The following skeleton code can be used as a starting point: \& * by pulling them from some database. If there \& * are none to be found, clear all rights (making \& * this and any subsequent proxy certificate void -\& * of any rights). +\& * of any rights). \& */ \& memset(rights\->rights, 0, sizeof(rights\->rights)); \& break; @@ -470,7 +466,7 @@ the same as the issuer, with one commonName added on. \&\s-1RFC 3820\s0 <https://tools.ietf.org/html/rfc3820> .SH "COPYRIGHT" .IX Header "COPYRIGHT" -Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019\-2021 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use this file except in compliance with the License. You can obtain a copy |