![]() ![]() KeyUsage = critical, ke圜ertSign Extended Key Usage The defined values are: digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, ke圜ertSign, cRLSign, encipherOnly, and decipherOnly.Įxamples: keyUsage = digitalSignature, nonRepudiation Key usage is a multi-valued extension consisting of a list of names of the permitted key usages. A pathlen of zero means the CA cannot sign any sub-CA's, and can only sign end-entity certificates. The pathlen parameter specifies the maximum number of CAs that can appear below this one in a chain. An end-user certificate must either have CA:FALSE or omit the extension entirely. If CA is TRUE then an optional pathlen name followed by a nonnegative value can be included.īasicConstraints = critical, CA:TRUE, pathlen:1Ī CA certificate must include the basicConstraints name with the CA parameter set to TRUE. ![]() The first value is CA followed by TRUE or FALSE. This is a multi-valued extension which indicates whether a certificate is a CA certificate. They do not define the semantics of the extension. The following sections describe the syntax of each supported extension. If an extension type is unsupported, then the arbitrary extension syntax must be used, see the "ARBITRARY EXTENSIONS" section for more details. See "Certificate Policies" for an example of a raw extension. SubjectAltName = syntax of raw extensions is defined by the source code that parses the extension but should be documened. To specify multiple values append a numeric identifier, as shown here: SubjectAltName = only recognize the last value. OpenSSL does not support multiple occurrences of the same field within a section. ![]() SubjectAltName = URI:ldap:///CN=foo,OU=bar Will produce an error but the equivalent form: For example: subjectAltName = URI:ldap:///CN=foo,OU=bar If an extension is multi-value and a field value must contain a comma the long form must be used otherwise the comma would be misinterpreted as a field separator. The long form allows the values to be placed in a separate section: The short form is a comma-separated list of names and values: basicConstraints = critical, CA:true, pathlen:1 Multi-valued extensions have a short form and a long form. String extensions simply have a string which contains either the value itself or how it is obtained. There are four main types of extension: stringĮach is described in the following paragraphs. The format of values depends on the value of name, many have a type-value pairing where the type and value are separated by a colon. If multiple entries are processed for the same extension name, later entries override earlier ones with the same name. If critical is present then the extension will be marked as critical. This page uses extensions as the name of the section, when needed in examples.Įach entry in the extension section takes the form: name = value(s) The commands typically have an option to specify the name of the configuration file, and a section within that file see the documentation of the individual command for details. The syntax of configuration files is described in config(5). Several OpenSSL commands can add extensions to a certificate or certificate request based on the contents of a configuration file and CLI options such as -addext. X509v3_config - X509 V3 certificate extension configuration format DESCRIPTION ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |