Merge branch 'vendor/OPENSSL'
[dragonfly.git] / secure / usr.bin / openssl / man / x509v3_config.5
CommitLineData
aac4ff6f 1.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32
a561f9ff
SS
2.\"
3.\" Standard preamble:
4.\" ========================================================================
5.de Sh \" Subsection heading
6.br
7.if t .Sp
8.ne 5
9.PP
10\fB\\$1\fR
11.PP
12..
13.de Sp \" Vertical space (when we can't use .PP)
14.if t .sp .5v
15.if n .sp
16..
17.de Vb \" Begin verbatim text
18.ft CW
19.nf
20.ne \\$1
21..
22.de Ve \" End verbatim text
23.ft R
24.fi
25..
26.\" Set up some character translations and predefined strings. \*(-- will
27.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
aac4ff6f
PA
28.\" double quote, and \*(R" will give a right double quote. | will give a
29.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used to
30.\" do unbreakable dashes and therefore won't be available. \*(C` and \*(C'
31.\" expand to `' in nroff, nothing in troff, for use with C<>.
32.tr \(*W-|\(bv\*(Tr
a561f9ff
SS
33.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
34.ie n \{\
35. ds -- \(*W-
36. ds PI pi
37. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
38. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
39. ds L" ""
40. ds R" ""
41. ds C` ""
42. ds C' ""
43'br\}
44.el\{\
45. ds -- \|\(em\|
46. ds PI \(*p
47. ds L" ``
48. ds R" ''
49'br\}
50.\"
51.\" If the F register is turned on, we'll generate index entries on stderr for
52.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
53.\" entries marked with X<> in POD. Of course, you'll have to process the
54.\" output yourself in some meaningful fashion.
55.if \nF \{\
56. de IX
57. tm Index:\\$1\t\\n%\t"\\$2"
58..
59. nr % 0
60. rr F
61.\}
62.\"
aac4ff6f
PA
63.\" For nroff, turn off justification. Always turn off hyphenation; it makes
64.\" way too many mistakes in technical documents.
65.hy 0
66.if n .na
67.\"
a561f9ff
SS
68.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
69.\" Fear. Run. Save yourself. No user-serviceable parts.
70. \" fudge factors for nroff and troff
71.if n \{\
72. ds #H 0
73. ds #V .8m
74. ds #F .3m
75. ds #[ \f1
76. ds #] \fP
77.\}
78.if t \{\
79. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
80. ds #V .6m
81. ds #F 0
82. ds #[ \&
83. ds #] \&
84.\}
85. \" simple accents for nroff and troff
86.if n \{\
87. ds ' \&
88. ds ` \&
89. ds ^ \&
90. ds , \&
91. ds ~ ~
92. ds /
93.\}
94.if t \{\
95. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
96. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
97. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
98. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
99. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
100. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
101.\}
102. \" troff and (daisy-wheel) nroff accents
103.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
104.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
105.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
106.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
107.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
108.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
109.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
110.ds ae a\h'-(\w'a'u*4/10)'e
111.ds Ae A\h'-(\w'A'u*4/10)'E
112. \" corrections for vroff
113.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
114.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
115. \" for low resolution devices (crt and lpr)
116.if \n(.H>23 .if \n(.V>19 \
117\{\
118. ds : e
119. ds 8 ss
120. ds o a
121. ds d- d\h'-1'\(ga
122. ds D- D\h'-1'\(hy
123. ds th \o'bp'
124. ds Th \o'LP'
125. ds ae ae
126. ds Ae AE
127.\}
128.rm #[ #] #H #V #F C
129.\" ========================================================================
130.\"
131.IX Title "X509V3_CONFIG 5"
18ed9402 132.TH X509V3_CONFIG 5 "2008-09-27" "0.9.8i" "OpenSSL"
a561f9ff
SS
133.SH "NAME"
134x509v3_config \- X509 V3 certificate extension configuration format
135.SH "DESCRIPTION"
136.IX Header "DESCRIPTION"
137Several of the OpenSSL utilities can add extensions to a certificate or
138certificate request based on the contents of a configuration file.
139.PP
140Typically the application will contain an option to point to an extension
141section. Each line of the extension section takes the form:
142.PP
143.Vb 1
144\& extension_name=[critical,] extension_options
145.Ve
146.PP
147If \fBcritical\fR is present then the extension will be critical.
148.PP
149The format of \fBextension_options\fR depends on the value of \fBextension_name\fR.
150.PP
151There are four main types of extension: \fIstring\fR extensions, \fImulti-valued\fR
152extensions, \fIraw\fR and \fIarbitrary\fR extensions.
153.PP
154String extensions simply have a string which contains either the value itself
155or how it is obtained.
156.PP
157For example:
158.PP
159.Vb 1
160\& nsComment="This is a Comment"
161.Ve
162.PP
163Multi-valued extensions have a short form and a long form. The short form
164is a list of names and values:
165.PP
166.Vb 1
167\& basicConstraints=critical,CA:true,pathlen:1
168.Ve
169.PP
170The long form allows the values to be placed in a separate section:
171.PP
172.Vb 1
173\& basicConstraints=critical,@bs_section
aac4ff6f
PA
174.Ve
175.PP
176.Vb 1
a561f9ff 177\& [bs_section]
aac4ff6f
PA
178.Ve
179.PP
180.Vb 2
a561f9ff
SS
181\& CA=true
182\& pathlen=1
183.Ve
184.PP
185Both forms are equivalent.
186.PP
187The syntax of raw extensions is governed by the extension code: it can
188for example contain data in multiple sections. The correct syntax to
189use is defined by the extension code itself: check out the certificate
190policies extension for an example.
191.PP
192If an extension type is unsupported then the \fIarbitrary\fR extension syntax
193must be used, see the \s-1ARBITRART\s0 \s-1EXTENSIONS\s0 section for more details.
194.SH "STANDARD EXTENSIONS"
195.IX Header "STANDARD EXTENSIONS"
196The following sections describe each supported extension in detail.
197.Sh "Basic Constraints."
198.IX Subsection "Basic Constraints."
199This is a multi valued extension which indicates whether a certificate is
200a \s-1CA\s0 certificate. The first (mandatory) name is \fB\s-1CA\s0\fR followed by \fB\s-1TRUE\s0\fR or
201\&\fB\s-1FALSE\s0\fR. If \fB\s-1CA\s0\fR is \fB\s-1TRUE\s0\fR then an optional \fBpathlen\fR name followed by an
202non-negative value can be included.
203.PP
204For example:
205.PP
206.Vb 1
207\& basicConstraints=CA:TRUE
aac4ff6f
PA
208.Ve
209.PP
210.Vb 1
a561f9ff 211\& basicConstraints=CA:FALSE
aac4ff6f
PA
212.Ve
213.PP
214.Vb 1
a561f9ff
SS
215\& basicConstraints=critical,CA:TRUE, pathlen:0
216.Ve
217.PP
218A \s-1CA\s0 certificate \fBmust\fR include the basicConstraints value with the \s-1CA\s0 field
219set to \s-1TRUE\s0. An end user certificate must either set \s-1CA\s0 to \s-1FALSE\s0 or exclude the
220extension entirely. Some software may require the inclusion of basicConstraints
221with \s-1CA\s0 set to \s-1FALSE\s0 for end entity certificates.
222.PP
223The pathlen parameter indicates the maximum number of CAs that can appear
224below this one in a chain. So if you have a \s-1CA\s0 with a pathlen of zero it can
225only be used to sign end user certificates and not further CAs.
226.Sh "Key Usage."
227.IX Subsection "Key Usage."
228Key usage is a multi valued extension consisting of a list of names of the
229permitted key usages.
230.PP
231The supporte names are: digitalSignature, nonRepudiation, keyEncipherment,
232dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly
233and decipherOnly.
234.PP
235Examples:
236.PP
237.Vb 1
238\& keyUsage=digitalSignature, nonRepudiation
aac4ff6f
PA
239.Ve
240.PP
241.Vb 1
a561f9ff
SS
242\& keyUsage=critical, keyCertSign
243.Ve
244.Sh "Extended Key Usage."
245.IX Subsection "Extended Key Usage."
246This extensions consists of a list of usages indicating purposes for which
247the certificate public key can be used for,
248.PP
249These can either be object short names of the dotted numerical form of OIDs.
250While any \s-1OID\s0 can be used only certain values make sense. In particular the
251following \s-1PKIX\s0, \s-1NS\s0 and \s-1MS\s0 values are meaningful:
252.PP
aac4ff6f 253.Vb 13
a561f9ff 254\& Value Meaning
aac4ff6f 255\& ----- -------
a561f9ff
SS
256\& serverAuth SSL/TLS Web Server Authentication.
257\& clientAuth SSL/TLS Web Client Authentication.
258\& codeSigning Code signing.
aac4ff6f 259\& emailProtection E-mail Protection (S/MIME).
a561f9ff
SS
260\& timeStamping Trusted Timestamping
261\& msCodeInd Microsoft Individual Code Signing (authenticode)
262\& msCodeCom Microsoft Commercial Code Signing (authenticode)
263\& msCTLSign Microsoft Trust List Signing
264\& msSGC Microsoft Server Gated Crypto
265\& msEFS Microsoft Encrypted File System
266\& nsSGC Netscape Server Gated Crypto
267.Ve
268.PP
269Examples:
270.PP
271.Vb 2
272\& extendedKeyUsage=critical,codeSigning,1.2.3.4
273\& extendedKeyUsage=nsSGC,msSGC
274.Ve
275.Sh "Subject Key Identifier."
276.IX Subsection "Subject Key Identifier."
277This is really a string extension and can take two possible values. Either
278the word \fBhash\fR which will automatically follow the guidelines in \s-1RFC3280\s0
279or a hex string giving the extension value to include. The use of the hex
280string is strongly discouraged.
281.PP
282Example:
283.PP
284.Vb 1
285\& subjectKeyIdentifier=hash
286.Ve
287.Sh "Authority Key Identifier."
288.IX Subsection "Authority Key Identifier."
289The authority key identifier extension permits two options. keyid and issuer:
290both can take the optional value \*(L"always\*(R".
291.PP
292If the keyid option is present an attempt is made to copy the subject key
293identifier from the parent certificate. If the value \*(L"always\*(R" is present
294then an error is returned if the option fails.
295.PP
296The issuer option copies the issuer and serial number from the issuer
297certificate. This will only be done if the keyid option fails or
298is not included unless the \*(L"always\*(R" flag will always include the value.
299.PP
300Example:
301.PP
302.Vb 1
303\& authorityKeyIdentifier=keyid,issuer
304.Ve
305.Sh "Subject Alternative Name."
306.IX Subsection "Subject Alternative Name."
307The subject alternative name extension allows various literal values to be
308included in the configuration file. These include \fBemail\fR (an email address)
309\&\fB\s-1URI\s0\fR a uniform resource indicator, \fB\s-1DNS\s0\fR (a \s-1DNS\s0 domain name), \fB\s-1RID\s0\fR (a
310registered \s-1ID:\s0 \s-1OBJECT\s0 \s-1IDENTIFIER\s0), \fB\s-1IP\s0\fR (an \s-1IP\s0 address), \fBdirName\fR
311(a distinguished name) and otherName.
312.PP
313The email option include a special 'copy' value. This will automatically
314include and email addresses contained in the certificate subject name in
315the extension.
316.PP
317The \s-1IP\s0 address used in the \fB\s-1IP\s0\fR options can be in either IPv4 or IPv6 format.
318.PP
319The value of \fBdirName\fR should point to a section containing the distinguished
320name to use as a set of name value pairs. Multi values AVAs can be formed by
321preceeding the name with a \fB+\fR character.
322.PP
323otherName can include arbitrary data associated with an \s-1OID:\s0 the value
324should be the \s-1OID\s0 followed by a semicolon and the content in standard
325\&\fIASN1_generate_nconf()\fR format.
326.PP
327Examples:
328.PP
329.Vb 5
330\& subjectAltName=email:copy,email:my@other.address,URI:http://my.url.here/
331\& subjectAltName=IP:192.168.7.1
332\& subjectAltName=IP:13::17
333\& subjectAltName=email:my@other.address,RID:1.2.3.4
334\& subjectAltName=otherName:1.2.3.4;UTF8:some other identifier
aac4ff6f
PA
335.Ve
336.PP
337.Vb 1
a561f9ff 338\& subjectAltName=dirName:dir_sect
aac4ff6f
PA
339.Ve
340.PP
341.Vb 5
a561f9ff
SS
342\& [dir_sect]
343\& C=UK
344\& O=My Organization
345\& OU=My Unit
346\& CN=My Name
347.Ve
348.Sh "Issuer Alternative Name."
349.IX Subsection "Issuer Alternative Name."
350The issuer alternative name option supports all the literal options of
351subject alternative name. It does \fBnot\fR support the email:copy option because
352that would not make sense. It does support an additional issuer:copy option
353that will copy all the subject alternative name values from the issuer
354certificate (if possible).
355.PP
356Example:
357.PP
358.Vb 1
359\& issuserAltName = issuer:copy
360.Ve
361.Sh "Authority Info Access."
362.IX Subsection "Authority Info Access."
363The authority information access extension gives details about how to access
364certain information relating to the \s-1CA\s0. Its syntax is accessOID;location
365where \fIlocation\fR has the same syntax as subject alternative name (except
366that email:copy is not supported). accessOID can be any valid \s-1OID\s0 but only
367certain values are meaningful, for example \s-1OCSP\s0 and caIssuers.
368.PP
369Example:
370.PP
371.Vb 2
372\& authorityInfoAccess = OCSP;URI:http://ocsp.my.host/
373\& authorityInfoAccess = caIssuers;URI:http://my.ca/ca.html
374.Ve
375.Sh "\s-1CRL\s0 distribution points."
376.IX Subsection "CRL distribution points."
377This is a multi-valued extension that supports all the literal options of
378subject alternative name. Of the few software packages that currently interpret
379this extension most only interpret the \s-1URI\s0 option.
380.PP
381Currently each option will set a new DistributionPoint with the fullName
382field set to the given value.
383.PP
384Other fields like cRLissuer and reasons cannot currently be set or displayed:
385at this time no examples were available that used these fields.
386.PP
387Examples:
388.PP
389.Vb 2
390\& crlDistributionPoints=URI:http://myhost.com/myca.crl
391\& crlDistributionPoints=URI:http://my.com/my.crl,URI:http://oth.com/my.crl
392.Ve
393.Sh "Certificate Policies."
394.IX Subsection "Certificate Policies."
395This is a \fIraw\fR extension. All the fields of this extension can be set by
396using the appropriate syntax.
397.PP
398If you follow the \s-1PKIX\s0 recommendations and just using one \s-1OID\s0 then you just
399include the value of that \s-1OID\s0. Multiple OIDs can be set separated by commas,
400for example:
401.PP
402.Vb 1
403\& certificatePolicies= 1.2.4.5, 1.1.3.4
404.Ve
405.PP
406If you wish to include qualifiers then the policy \s-1OID\s0 and qualifiers need to
407be specified in a separate section: this is done by using the \f(CW@section\fR syntax
408instead of a literal \s-1OID\s0 value.
409.PP
410The section referred to must include the policy \s-1OID\s0 using the name
411policyIdentifier, cPSuri qualifiers can be included using the syntax:
412.PP
413.Vb 1
414\& CPS.nnn=value
415.Ve
416.PP
417userNotice qualifiers can be set using the syntax:
418.PP
419.Vb 1
420\& userNotice.nnn=@notice
421.Ve
422.PP
423The value of the userNotice qualifier is specified in the relevant section.
424This section can include explicitText, organization and noticeNumbers
425options. explicitText and organization are text strings, noticeNumbers is a
426comma separated list of numbers. The organization and noticeNumbers options
427(if included) must \s-1BOTH\s0 be present. If you use the userNotice option with \s-1IE5\s0
428then you need the 'ia5org' option at the top level to modify the encoding:
429otherwise it will not be interpreted properly.
430.PP
431Example:
432.PP
433.Vb 1
434\& certificatePolicies=ia5org,1.2.3.4,1.5.6.7.8,@polsect
aac4ff6f
PA
435.Ve
436.PP
437.Vb 1
a561f9ff 438\& [polsect]
aac4ff6f
PA
439.Ve
440.PP
441.Vb 4
a561f9ff
SS
442\& policyIdentifier = 1.3.5.8
443\& CPS.1="http://my.host.name/"
444\& CPS.2="http://my.your.name/"
445\& userNotice.1=@notice
aac4ff6f
PA
446.Ve
447.PP
448.Vb 1
a561f9ff 449\& [notice]
aac4ff6f
PA
450.Ve
451.PP
452.Vb 3
a561f9ff
SS
453\& explicitText="Explicit Text Here"
454\& organization="Organisation Name"
455\& noticeNumbers=1,2,3,4
456.Ve
457.PP
458The \fBia5org\fR option changes the type of the \fIorganization\fR field. In \s-1RFC2459\s0
459it can only be of type DisplayText. In \s-1RFC3280\s0 IA5Strring is also permissible.
460Some software (for example some versions of \s-1MSIE\s0) may require ia5org.
461.Sh "Policy Constraints"
462.IX Subsection "Policy Constraints"
463This is a multi-valued extension which consisting of the names
464\&\fBrequireExplicitPolicy\fR or \fBinhibitPolicyMapping\fR and a non negative intger
465value. At least one component must be present.
466.PP
467Example:
468.PP
469.Vb 1
470\& policyConstraints = requireExplicitPolicy:3
471.Ve
472.Sh "Inhibit Any Policy"
473.IX Subsection "Inhibit Any Policy"
474This is a string extension whose value must be a non negative integer.
475.PP
476Example:
477.PP
478.Vb 1
479\& inhibitAnyPolicy = 2
480.Ve
481.Sh "Name Constraints"
482.IX Subsection "Name Constraints"
483The name constraints extension is a multi-valued extension. The name should
484begin with the word \fBpermitted\fR or \fBexcluded\fR followed by a \fB;\fR. The rest of
485the name and the value follows the syntax of subjectAltName except email:copy
486is not supported and the \fB\s-1IP\s0\fR form should consist of an \s-1IP\s0 addresses and
487subnet mask separated by a \fB/\fR.
488.PP
489Examples:
490.PP
491.Vb 1
492\& nameConstraints=permitted;IP:192.168.0.0/255.255.0.0
aac4ff6f
PA
493.Ve
494.PP
495.Vb 1
a561f9ff 496\& nameConstraints=permitted;email:.somedomain.com
aac4ff6f
PA
497.Ve
498.PP
499.Vb 1
a561f9ff
SS
500\& nameConstraints=excluded;email:.com
501.Ve
502.SH "DEPRECATED EXTENSIONS"
503.IX Header "DEPRECATED EXTENSIONS"
504The following extensions are non standard, Netscape specific and largely
505obsolete. Their use in new applications is discouraged.
506.Sh "Netscape String extensions."
507.IX Subsection "Netscape String extensions."
508Netscape Comment (\fBnsComment\fR) is a string extension containing a comment
509which will be displayed when the certificate is viewed in some browsers.
510.PP
511Example:
512.PP
513.Vb 1
514\& nsComment = "Some Random Comment"
515.Ve
516.PP
517Other supported extensions in this category are: \fBnsBaseUrl\fR,
518\&\fBnsRevocationUrl\fR, \fBnsCaRevocationUrl\fR, \fBnsRenewalUrl\fR, \fBnsCaPolicyUrl\fR
519and \fBnsSslServerName\fR.
520.Sh "Netscape Certificate Type"
521.IX Subsection "Netscape Certificate Type"
522This is a multi-valued extensions which consists of a list of flags to be
523included. It was used to indicate the purposes for which a certificate could
524be used. The basicConstraints, keyUsage and extended key usage extensions are
525now used instead.
526.PP
527Acceptable values for nsCertType are: \fBclient\fR, \fBserver\fR, \fBemail\fR,
528\&\fBobjsign\fR, \fBreserved\fR, \fBsslCA\fR, \fBemailCA\fR, \fBobjCA\fR.
529.SH "ARBITRARY EXTENSIONS"
530.IX Header "ARBITRARY EXTENSIONS"
531If an extension is not supported by the OpenSSL code then it must be encoded
532using the arbitrary extension format. It is also possible to use the arbitrary
533format for supported extensions. Extreme care should be taken to ensure that
534the data is formatted correctly for the given extension type.
535.PP
536There are two ways to encode arbitrary extensions.
537.PP
538The first way is to use the word \s-1ASN1\s0 followed by the extension content
539using the same syntax as \fIASN1_generate_nconf()\fR. For example:
540.PP
541.Vb 1
542\& 1.2.3.4=critical,ASN1:UTF8String:Some random data
aac4ff6f
PA
543.Ve
544.PP
545.Vb 1
a561f9ff 546\& 1.2.3.4=ASN1:SEQUENCE:seq_sect
aac4ff6f
PA
547.Ve
548.PP
549.Vb 1
a561f9ff 550\& [seq_sect]
aac4ff6f
PA
551.Ve
552.PP
553.Vb 2
a561f9ff
SS
554\& field1 = UTF8:field1
555\& field2 = UTF8:field2
556.Ve
557.PP
558It is also possible to use the word \s-1DER\s0 to include the raw encoded data in any
559extension.
560.PP
561.Vb 2
562\& 1.2.3.4=critical,DER:01:02:03:04
563\& 1.2.3.4=DER:01020304
564.Ve
565.PP
566The value following \s-1DER\s0 is a hex dump of the \s-1DER\s0 encoding of the extension
567Any extension can be placed in this form to override the default behaviour.
568For example:
569.PP
570.Vb 1
571\& basicConstraints=critical,DER:00:01:02:03
572.Ve
573.SH "WARNING"
574.IX Header "WARNING"
575There is no guarantee that a specific implementation will process a given
576extension. It may therefore be sometimes possible to use certificates for
577purposes prohibited by their extensions because a specific application does
578not recognize or honour the values of the relevant extensions.
579.PP
580The \s-1DER\s0 and \s-1ASN1\s0 options should be used with caution. It is possible to create
581totally invalid extensions if they are not used carefully.
582.SH "NOTES"
583.IX Header "NOTES"
584If an extension is multi-value and a field value must contain a comma the long
585form must be used otherwise the comma would be misinterpreted as a field
586separator. For example:
587.PP
588.Vb 1
589\& subjectAltName=URI:ldap://somehost.com/CN=foo,OU=bar
590.Ve
591.PP
592will produce an error but the equivalent form:
593.PP
594.Vb 1
595\& subjectAltName=@subject_alt_section
aac4ff6f
PA
596.Ve
597.PP
598.Vb 2
a561f9ff
SS
599\& [subject_alt_section]
600\& subjectAltName=URI:ldap://somehost.com/CN=foo,OU=bar
601.Ve
602.PP
aac4ff6f 603is valid.
a561f9ff
SS
604.PP
605Due to the behaviour of the OpenSSL \fBconf\fR library the same field name
606can only occur once in a section. This means that:
607.PP
608.Vb 1
609\& subjectAltName=@alt_section
aac4ff6f
PA
610.Ve
611.PP
612.Vb 1
a561f9ff 613\& [alt_section]
aac4ff6f
PA
614.Ve
615.PP
616.Vb 2
a561f9ff
SS
617\& email=steve@here
618\& email=steve@there
619.Ve
620.PP
621will only recognize the last value. This can be worked around by using the form:
622.PP
623.Vb 1
624\& [alt_section]
aac4ff6f
PA
625.Ve
626.PP
627.Vb 2
a561f9ff
SS
628\& email.1=steve@here
629\& email.2=steve@there
630.Ve
631.SH "HISTORY"
632.IX Header "HISTORY"
633The X509v3 extension code was first added to OpenSSL 0.9.2.
634.PP
635Policy mappings, inhibit any policy and name constraints support was added in
636OpenSSL 0.9.8
637.PP
638The \fBdirectoryName\fR and \fBotherName\fR option as well as the \fB\s-1ASN1\s0\fR option
639for arbitrary extensions was added in OpenSSL 0.9.8
640.SH "SEE ALSO"
641.IX Header "SEE ALSO"
642\&\fIreq\fR\|(1), \fIca\fR\|(1), \fIx509\fR\|(1)