Creating proxy certificates can be done using the L<openssl-x509(1)>
command, with some extra extensions:
- [ v3_proxy ]
+ [ proxy ]
# A proxy certificate MUST NEVER be a CA certificate.
- basicConstraints=CA:FALSE
-
+ basicConstraints = CA:FALSE
# Usual authority key ID
- authorityKeyIdentifier=keyid,issuer:always
-
+ authorityKeyIdentifier = keyid,issuer:always
# The extension which marks this certificate as a proxy
- proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:1,policy:text:AB
+ proxyCertInfo = critical,language:id-ppl-anyLanguage,pathlen:1,policy:text:AB
It's also possible to specify the proxy extension in a separate section:
- proxyCertInfo=critical,@proxy_ext
+ proxyCertInfo = critical,@proxy_ext
[ proxy_ext ]
- language=id-ppl-anyLanguage
- pathlen=0
- policy=text:BC
+ language = id-ppl-anyLanguage
+ pathlen = 0
+ policy = text:BC
The policy value has a specific syntax, I<syntag>:I<string>, where the
I<syntag> determines what will be done with the string. The following
indicates that the text of the policy should be taken from a file.
The string is then a filename. This is useful for policies that are
-large (more than a few lines, e.g. XML documents).
+more than a few lines, such as XML or other markup.
=back
-I<NOTE: The proxy policy value is what determines the rights granted
-to the process during the proxy certificate. It's up to the
+Note that the proxy policy value is what determines the rights granted
+to the process during the proxy certificate, and it is up to the
application to interpret and combine these policies.>
With a proxy extension, creating a proxy certificate is a matter of
openssl req -new -config proxy.cnf \
-out proxy.req -keyout proxy.key \
- -subj "/DC=org/DC=openssl/DC=users/CN=proxy 1"
+ -subj "/DC=org/DC=openssl/DC=users/CN=proxy"
openssl x509 -req -CAcreateserial -in proxy.req -out proxy.crt \
-CA user.crt -CAkey user.key -days 7 \
-extfile proxy.cnf -extensions proxy
You can also create a proxy certificate using another proxy
-certificate as issuer (note: using a different configuration
-section for the proxy extensions):
+certificate as issuer. Note that this example uses a different
+configuration section for the proxy extensions:
openssl req -new -config proxy.cnf \
-out proxy2.req -keyout proxy2.key \
- -subj "/DC=org/DC=openssl/DC=users/CN=proxy 1/CN=proxy 2"
+ -subj "/DC=org/DC=openssl/DC=users/CN=proxy/CN=proxy 2"
openssl x509 -req -CAcreateserial -in proxy2.req -out proxy2.crt \
-CA proxy.crt -CAkey proxy.key -days 7 \
projects / oweals / openssl.git / commitdiff