diff options
| author | Dr. Stephen Henson <steve@openssl.org> | 1999-08-09 22:38:05 +0000 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 1999-08-09 22:38:05 +0000 |
| commit | 87c49f622e7fe9d93b3ab87b1edd5faa32fa6e74 (patch) | |
| tree | e2408f817ecc675e1f44400bc0f165557b00e17b /doc/openssl.txt | |
| parent | 29159a42d2708cb962b3fa6358f3a02ec5cf46b2 (diff) | |
| download | openssl-87c49f622e7fe9d93b3ab87b1edd5faa32fa6e74.tar.gz | |
Support for parsing of certificate extensions in PKCS#10 requests: these are
used by things like Xenroll. Also include documentation for extendedKeyUsage
extension.
Diffstat (limited to 'doc/openssl.txt')
| -rw-r--r-- | doc/openssl.txt | 32 |
1 files changed, 31 insertions, 1 deletions
diff --git a/doc/openssl.txt b/doc/openssl.txt index 91b85e5f14..2f50038d17 100644 --- a/doc/openssl.txt +++ b/doc/openssl.txt @@ -188,7 +188,7 @@ email.1=steve@here email.2=steve@there This is because the configuration file code cannot handle the same name -occurring twice in the same extension. +occurring twice in the same section. The syntax of raw extensions is governed by the extension code: it can for example contain data in multiple sections. The correct syntax to @@ -315,6 +315,36 @@ TRUE. An end user certificate MUST NOT have the CA value set to true. According to PKIX recommendations it should exclude the extension entirely, however some software may require CA set to FALSE for end entity certificates. +Extended Key Usage. + +This extensions consists of a list of usages. + +These can either be object short names of the dotted numerical form of OIDs. +While any OID can be used only certain values make sense. In partiular the +following PKIX, NS and MS values are meaningful: + +Value Meaning +----- ------- +serverAuth SSL/TLS Web Server Authentication. +clientAuth SSL/TLS Web Client Authentication. +codeSigning Code signing. +emailProtection E-mail Protection (S/MIME). +timeStamping Trusted Timestamping +msCodeInd Microsoft Individual Code Signing (authenticode) +msCodeCom Microsoft Commercial Code Signing (authenticode) +msCTLSign Microsoft Trust List Signing +msSGC Microsoft Server Gated Crypto +msEFS Microsoft Encrypted File System +nsSGC Netscape Server Gated Crypto + +For example, under IE5 a CA can be used for any purpose: by including a list +of the above usages the CA can be restricted to only authorised uses. + +Note: software packages may place additional interpretations on certificate +use, in particular some usages may only work for selected CAs. Don't for example +expect just including msSGC or nsSGC will automatically mean that a certificate +can be used for SGC ("step up" encryption) otherwise anyone could use it. + Subject Key Identifier. This is really a string extension and can take two possible values. Either |