diff options
-rw-r--r-- | apps/apps.c | 1 | ||||
-rw-r--r-- | apps/openssl.cnf | 5 | ||||
-rw-r--r-- | doc/apps/ca.pod | 27 | ||||
-rw-r--r-- | doc/apps/x509.pod | 32 |
4 files changed, 52 insertions, 13 deletions
diff --git a/apps/apps.c b/apps/apps.c index ab30e53ba5..d8d9140075 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -796,6 +796,7 @@ int set_name_ex(unsigned long *flags, const char *arg) { "nofname", XN_FLAG_FN_NONE, XN_FLAG_FN_MASK}, { "sname", XN_FLAG_FN_SN, XN_FLAG_FN_MASK}, { "lname", XN_FLAG_FN_LN, XN_FLAG_FN_MASK}, + { "align", XN_FLAG_FN_ALIGN, 0}, { "oid", XN_FLAG_FN_OID, XN_FLAG_FN_MASK}, { "space_eq", XN_FLAG_SPC_EQ, 0}, { "dump_unknown", XN_FLAG_DUMP_UNKNOWN_FIELDS, 0}, diff --git a/apps/openssl.cnf b/apps/openssl.cnf index c089a21f27..f02b2bdf84 100644 --- a/apps/openssl.cnf +++ b/apps/openssl.cnf @@ -48,6 +48,11 @@ RANDFILE = $dir/private/.rand # private random number file x509_extensions = usr_cert # The extentions to add to the cert +# Comment out the following two lines for the "traditional" +# (and highly broken) format. +name_opt = ca_default # Subject Name options +cert_opt = ca_default # Certificate field options + # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs # so this is commented out by default to leave a V1 CRL. # crl_extensions = crl_ext diff --git a/doc/apps/ca.pod b/doc/apps/ca.pod index 5adf805a94..e441a620c1 100644 --- a/doc/apps/ca.pod +++ b/doc/apps/ca.pod @@ -317,6 +317,23 @@ the same as B<-msie_hack> the same as B<-policy>. Mandatory. See the B<POLICY FORMAT> section for more information. +=item B<nameopt>, B<certopt> + +these options allow the format used to display the certificate details +when asking the user to confirm signing. All the options supported by +the B<x509> utilities B<-nameopt> and B<-certopt> switches can be used +here, except the B<no_signame> and B<no_sigdump> are permanently set +and cannot be disabled (this is because the certificate signature cannot +be displayed because the certificate has not been signed at this point). + +For convenience the values B<default_ca> are accepted by both to produce +a reasonable output. + +If neither option is present the format used in earlier versions of +OpenSSL is used. Use of the old format is B<strongly> discouraged because +it only displays fields mentioned in the B<policy> section, mishandles +multicharacter string types and does not display extensions. + =back =head1 POLICY FORMAT @@ -407,6 +424,9 @@ A sample configuration file with the relevant sections for B<ca>: policy = policy_any # default policy + nameopt = default_ca # Subject name display option + certopt = default_ca # Certificate display option + [ policy_any ] countryName = supplied stateOrProvinceName = optional @@ -420,7 +440,7 @@ A sample configuration file with the relevant sections for B<ca>: The B<ca> command is quirky and at times downright unfriendly. The B<ca> utility was originally meant as an example of how to do things -in a CA. It was not supposed be be used as a full blown CA itself: +in a CA. It was not supposed to be used as a full blown CA itself: nevertheless some people are using it for this purpose. The B<ca> command is effectively a single user command: no locking is @@ -487,9 +507,8 @@ exposed at either a command or interface level so a more friendly utility B<CA.pl> help a little but not very much. Any fields in a request that are not present in a policy are silently -deleted. This does not happen if the B<-preserveDN> option is used but -the extra fields are not displayed when the user is asked to certify -a request. The behaviour should be more friendly and configurable. +deleted. This does not happen if the B<-preserveDN> option is used. +The behaviour should be more friendly and configurable. Cancelling some commands by refusing to certify a certificate can create an empty file. diff --git a/doc/apps/x509.pod b/doc/apps/x509.pod index dab9fa1333..a584785b47 100644 --- a/doc/apps/x509.pod +++ b/doc/apps/x509.pod @@ -115,9 +115,10 @@ any extensions present and any trust settings. =item B<-certopt option> -customise the output format used with B<-text>. This option may be used more -than once to set multiple options. See the B<OUTPUT OPTIONS> section for -more information. +customise the output format used with B<-text>. The B<option> argument can be +a single option or multiple options separated by commas. The B<-certopt> switch +may be also be used more than once to set multiple options. See the B<TEXT OPTIONS> +section for more information. =item B<-noout> @@ -148,9 +149,10 @@ outputs the issuer name. =item B<-nameopt option> -option which determines how the subject or issuer names are displayed. This -option may be used more than once to set multiple options. See the B<NAME -OPTIONS> section for more information. +option which determines how the subject or issuer names are displayed. The +B<option> argument can be a single option or multiple options separated by +commas. Alternatively the B<-nameopt> switch may be used more than once to +set multiple options. See the B<NAME OPTIONS> section for more information. =item B<-email> @@ -390,7 +392,7 @@ options. =item B<multiline> a multiline format. It is equivalent B<esc_ctrl>, B<esc_msb>, B<sep_multiline>, -B<spc_eq> and B<lname>. +B<spc_eq>, B<lname> and B<align>. =item B<esc_2253> @@ -485,6 +487,11 @@ not display the field at all. B<sname> uses the "short name" form B<oid> represents the OID in numerical form and is useful for diagnostic purpose. +=item B<align> + +align field values for a more readable output. Only usable with +B<sep_multiline>. + =item B<spc_eq> places spaces round the B<=> character which follows the field @@ -492,7 +499,7 @@ name. =back -=head1 OUTPUT OPTIONS +=head1 TEXT OPTIONS As well as customising the name output format, it is also possible to customise the actual fields printed using the B<certopt> options when @@ -562,6 +569,13 @@ ASN1 parse unsupported extensions. hex dump unsupported extensions. +=item B<ca_default> + +the value used by the B<ca> utility, equivalent to B<no_issuer>, B<no_pubkey>, B<no_header>, +B<no_version>, B<no_sigdump> and B<no_signame>. + + + =over 4 =back @@ -590,7 +604,7 @@ Display the certificate subject name in RFC2253 form: Display the certificate subject name in oneline form on a terminal supporting UTF8: - openssl x509 -in cert.pem -noout -subject -nameopt oneline -nameopt -escmsb + openssl x509 -in cert.pem -noout -subject -nameopt oneline,-escmsb Display the certificate MD5 fingerprint: |