From 2b584ff372b2b25bb6801172bbeb90074b26f88c Mon Sep 17 00:00:00 2001 From: Rich Salz Date: Mon, 27 Apr 2020 12:57:01 -0400 Subject: [PATCH] Update manpage to fix examples, other minor tweaks Reviewed-by: Matthias St. Pierre Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/11347) --- doc/man7/proxy-certificates.pod | 32 ++++++++++++++--------------- test/recipes/25-test_verify_store.t | 2 +- test/recipes/80-test_ssl_old.t | 4 ++-- test/recipes/90-test_store.t | 2 +- 4 files changed, 19 insertions(+), 21 deletions(-) diff --git a/doc/man7/proxy-certificates.pod b/doc/man7/proxy-certificates.pod index ca1f491ac5..eab28b5658 100644 --- a/doc/man7/proxy-certificates.pod +++ b/doc/man7/proxy-certificates.pod @@ -57,24 +57,22 @@ See L for a discussion on this requirement. Creating proxy certificates can be done using the L command, with some extra extensions: - [ v3_proxy ] + [ proxy ] # A proxy certificate MUST NEVER be a CA certificate. - basicConstraints=CA:FALSE - + basicConstraints = CA:FALSE # Usual authority key ID - authorityKeyIdentifier=keyid,issuer:always - + authorityKeyIdentifier = keyid,issuer:always # The extension which marks this certificate as a proxy - proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:1,policy:text:AB + proxyCertInfo = critical,language:id-ppl-anyLanguage,pathlen:1,policy:text:AB It's also possible to specify the proxy extension in a separate section: - proxyCertInfo=critical,@proxy_ext + proxyCertInfo = critical,@proxy_ext [ proxy_ext ] - language=id-ppl-anyLanguage - pathlen=0 - policy=text:BC + language = id-ppl-anyLanguage + pathlen = 0 + policy = text:BC The policy value has a specific syntax, I:I, where the I determines what will be done with the string. The following @@ -99,12 +97,12 @@ colons between each byte (every second hex digit): indicates that the text of the policy should be taken from a file. The string is then a filename. This is useful for policies that are -large (more than a few lines, e.g. XML documents). +more than a few lines, such as XML or other markup. =back -I With a proxy extension, creating a proxy certificate is a matter of @@ -112,19 +110,19 @@ two commands: openssl req -new -config proxy.cnf \ -out proxy.req -keyout proxy.key \ - -subj "/DC=org/DC=openssl/DC=users/CN=proxy 1" + -subj "/DC=org/DC=openssl/DC=users/CN=proxy" openssl x509 -req -CAcreateserial -in proxy.req -out proxy.crt \ -CA user.crt -CAkey user.key -days 7 \ -extfile proxy.cnf -extensions proxy You can also create a proxy certificate using another proxy -certificate as issuer (note: using a different configuration -section for the proxy extensions): +certificate as issuer. Note that this example uses a different +configuration section for the proxy extensions: openssl req -new -config proxy.cnf \ -out proxy2.req -keyout proxy2.key \ - -subj "/DC=org/DC=openssl/DC=users/CN=proxy 1/CN=proxy 2" + -subj "/DC=org/DC=openssl/DC=users/CN=proxy/CN=proxy 2" openssl x509 -req -CAcreateserial -in proxy2.req -out proxy2.crt \ -CA proxy.crt -CAkey proxy.key -days 7 \ diff --git a/test/recipes/25-test_verify_store.t b/test/recipes/25-test_verify_store.t index 9246f33868..2afb8cb56f 100644 --- a/test/recipes/25-test_verify_store.t +++ b/test/recipes/25-test_verify_store.t @@ -18,7 +18,7 @@ plan tests => 10; my $dummycnf = srctop_file("apps", "openssl.cnf"); -my $cnf=srctop_file("test","ca-and-certs.cnf"); +my $cnf = srctop_file("test", "ca-and-certs.cnf"); my $CAkey = "keyCA.ss"; my $CAcert="certCA.ss"; my $CAserial="certCA.srl"; diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t index b49d895c32..85f71614c4 100644 --- a/test/recipes/80-test_ssl_old.t +++ b/test/recipes/80-test_ssl_old.t @@ -44,7 +44,7 @@ my @verifycmd = ("openssl", "verify"); my @genpkeycmd = ("openssl", "genpkey"); my $dummycnf = srctop_file("apps", "openssl.cnf"); -my $cnf=srctop_file("test","ca-and-certs.cnf"); +my $cnf = srctop_file("test", "ca-and-certs.cnf"); my $CAkey = "keyCA.ss"; my $CAcert="certCA.ss"; my $CAserial="certCA.srl"; @@ -60,7 +60,7 @@ my $Ekey="keyE.ss"; my $Ereq="reqE.ss"; my $Ecert="certE.ss"; -my $proxycnf=srctop_file("test","proxy.cnf"); +my $proxycnf=srctop_file("test", "proxy.cnf"); my $P1key="keyP1.ss"; my $P1req="reqP1.ss"; my $P1cert="certP1.ss"; diff --git a/test/recipes/90-test_store.t b/test/recipes/90-test_store.t index 09d9604e9d..337bbb10c9 100644 --- a/test/recipes/90-test_store.t +++ b/test/recipes/90-test_store.t @@ -16,7 +16,7 @@ my $test_name = "test_store"; setup($test_name); my $mingw = config('target') =~ m|^mingw|; -my $cnf=srctop_file("test","ca-and-certs.cnf"); +my $cnf = srctop_file("test", "ca-and-certs.cnf"); my @noexist_files = ( "test/blahdiblah.pem", -- 2.25.1