Allows PKCS#12 password to be placed on command line and add allow config

file name for 'ca' to come from the environment.

1 files changed, 34 insertions, 4 deletions

diff --git a/doc/openssl.txt b/doc/openssl.txt
index 76f49132f0..a90c49573b 100644
--- a/doc/openssl.txt
+++ b/doc/openssl.txt
@@ -98,6 +98,15 @@ indicates which section contains the extensions. In the case of 'req' the
 extension section is used when the -x509 option is present to create a
 self signed root certificate.
 
+The 'x509' utility also supports extensions when it signs a certificate.
+The -config option is used to set the configuration file containing the
+extensions. In this case a line with:
+
+extensions = extension_section
+
+in the nameless (default) section is used. If no such line is include then
+it uses the default section.
+
 You can also add extensions to CRLs: a line
 
 crl_extensions = crl_extension_section
@@ -108,6 +117,17 @@ issuerAltName and authorityKeyIdentifier make any real sense. Note: these are
 CRL extensions NOT CRL *entry* extensions which cannot currently be generated.
 CRL entry extensions can be displayed.
 
+NB. At this time Netscape Communicator rejects V2 CRLs: to get an old V1 CRL
+you should comment out the crl_extensions line in the configuration file.
+
+As with all configuration files you can use the inbuilt environment expansion
+to allow the values to be passed in the environment. Therefore if you have
+several extension sections used for different purposes you can have a line:
+
+x509_extensions = $ENV::ENV_EXT
+
+and set the ENV_EXT environment variable before calling the relevant utility.
+
 EXTENSION SYNTAX.
 
 Extensions have the basic form:
@@ -298,7 +318,10 @@ This is a RAW extension. It attempts to display the contents of this extension:
 unfortuntately this extension is often improperly encoded.
 
 The certificate policies extension will rarely be used in practice: few
-software packages interpret it correctly or at all.
+software packages interpret it correctly or at all. IE5 does partially
+support this extension: but it needs the 'ia5org' option because it will
+only correctly support a broken encoding. Of the options below only the
+policy OID, explicitText and CPS options are displayed with IE5.
 
 All the fields of this extension can be set by using the appropriate syntax.
 
@@ -325,11 +348,13 @@ The value of the userNotice qualifier is specified in the relevant section. This
 section can include explicitText, organization and noticeNumbers options. 
 explicitText and organization are text strings, noticeNumbers is a comma
 separated list of numbers. The organization and noticeNumbers options (if
-included) must BOTH be present.
+included) must BOTH be present. If you use the userNotice option with IE5 then
+you need the 'ia5org' option at the top level to modify the encoding: otherwise
+it will not be interpreted properly.
 
 Example:
 
-certificatePolicies=1.2.3.4,1.5.6.7.8,@polsect
+certificatePolicies=ia5org,1.2.3.4,1.5.6.7.8,@polsect
 
 [polsect]
 
@@ -344,6 +369,10 @@ explicitText="Explicit Text Here"
 organization="Organisation Name"
 noticeNumbers=1,2,3,4
 
+TECHNICAL NOTE: the ia5org option changes the type of the 'organization' field,
+according to PKIX it should be of type DisplayText but Verisign uses an 
+IA5STRING and IE5 needs this too.
+
 Display only extensions.
 
 Some extensions are only partially supported and currently are only displayed
@@ -374,7 +403,8 @@ private key and certificate pair.
 
 No special initialisation is needed for the internal PKCS#12 library: the 
 standard SSLeay_add_all_algorithms() is sufficient. If you do not wish to
-add all algorithms then you can manually initialise the PKCS#12 library with:
+add all algorithms (you should at least add SHA1 though) then you can manually
+initialise the PKCS#12 library with:
 
 PKSC12_PBE_add();