CMSCOPE changed

2 files changed, 1030 insertions, 0 deletions

diff --git a/usr/man/man5/config.5 b/usr/man/man5/config.5
new file mode 100755
index 000000000..737a81aa8
--- /dev/null
+++ b/usr/man/man5/config.5
@@ -0,0 +1,420 @@
+.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
+.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
+.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
+.\" nothing in troff, for use with C<>.
+.tr \(*W-
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ========================================================================
+.\"
+.IX Title "CONFIG 5"
+.TH CONFIG 5 "2014-06-05" "0.9.8za" "OpenSSL"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH "NAME"
+config \- OpenSSL CONF library configuration files
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+The OpenSSL \s-1CONF\s0 library can be used to read configuration files.
+It is used for the OpenSSL master configuration file \fBopenssl.cnf\fR
+and in a few other places like \fB\s-1SPKAC\s0\fR files and certificate extension
+files for the \fBx509\fR utility. OpenSSL applications can also use the
+\&\s-1CONF\s0 library for their own purposes.
+.PP
+A configuration file is divided into a number of sections. Each section
+starts with a line \fB[ section_name ]\fR and ends when a new section is
+started or end of file is reached. A section name can consist of
+alphanumeric characters and underscores.
+.PP
+The first section of a configuration file is special and is referred
+to as the \fBdefault\fR section this is usually unnamed and is from the
+start of file until the first named section. When a name is being looked up
+it is first looked up in a named section (if any) and then the
+default section.
+.PP
+The environment is mapped onto a section called \fB\s-1ENV\s0\fR.
+.PP
+Comments can be included by preceding them with the \fB#\fR character
+.PP
+Each section in a configuration file consists of a number of name and
+value pairs of the form \fBname=value\fR
+.PP
+The \fBname\fR string can contain any alphanumeric characters as well as
+a few punctuation symbols such as \fB.\fR \fB,\fR \fB;\fR and \fB_\fR.
+.PP
+The \fBvalue\fR string consists of the string following the \fB=\fR character
+until end of line with any leading and trailing white space removed.
+.PP
+The value string undergoes variable expansion. This can be done by
+including the form \fB\f(CB$var\fB\fR or \fB${var}\fR: this will substitute the value
+of the named variable in the current section. It is also possible to
+substitute a value from another section using the syntax \fB\f(CB$section::name\fB\fR
+or \fB${section::name}\fR. By using the form \fB\f(CB$ENV::name\fB\fR environment
+variables can be substituted. It is also possible to assign values to
+environment variables by using the name \fBENV::name\fR, this will work
+if the program looks up environment variables using the \fB\s-1CONF\s0\fR library
+instead of calling \fB\f(BIgetenv()\fB\fR directly.
+.PP
+It is possible to escape certain characters by using any kind of quote
+or the \fB\e\fR character. By making the last character of a line a \fB\e\fR
+a \fBvalue\fR string can be spread across multiple lines. In addition
+the sequences \fB\en\fR, \fB\er\fR, \fB\eb\fR and \fB\et\fR are recognized.
+.SH "OPENSSL LIBRARY CONFIGURATION"
+.IX Header "OPENSSL LIBRARY CONFIGURATION"
+In OpenSSL 0.9.7 and later applications can automatically configure certain
+aspects of OpenSSL using the master OpenSSL configuration file, or optionally
+an alternative configuration file. The \fBopenssl\fR utility includes this
+functionality: any sub command uses the master OpenSSL configuration file
+unless an option is used in the sub command to use an alternative configuration
+file.
+.PP
+To enable library configuration the default section needs to contain an 
+appropriate line which points to the main configuration section. The default
+name is \fBopenssl_conf\fR which is used by the \fBopenssl\fR utility. Other
+applications may use an alternative name such as \fBmyapplicaton_conf\fR.
+.PP
+The configuration section should consist of a set of name value pairs which
+contain specific module configuration information. The \fBname\fR represents
+the name of the \fIconfiguration module\fR the meaning of the \fBvalue\fR is 
+module specific: it may, for example, represent a further configuration
+section containing configuration module specific information. E.g.
+.PP
+.Vb 1
+\& openssl_conf = openssl_init
+\&
+\& [openssl_init]
+\&
+\& oid_section = new_oids
+\& engines = engine_section
+\&
+\& [new_oids]
+\&
+\& ... new oids here ...
+\&
+\& [engine_section]
+\&
+\& ... engine stuff here ...
+.Ve
+.PP
+Currently there are two configuration modules. One for \s-1ASN1\s0 objects another
+for \s-1ENGINE\s0 configuration.
+.SS "\s-1ASN1 OBJECT CONFIGURATION MODULE\s0"
+.IX Subsection "ASN1 OBJECT CONFIGURATION MODULE"
+This module has the name \fBoid_section\fR. The value of this variable points
+to a section containing name value pairs of OIDs: the name is the \s-1OID\s0 short
+and long name, the value is the numerical form of the \s-1OID.\s0 Although some of
+the \fBopenssl\fR utility sub commands already have their own \s-1ASN1 OBJECT\s0 section
+functionality not all do. By using the \s-1ASN1 OBJECT\s0 configuration module
+\&\fBall\fR the \fBopenssl\fR utility sub commands can see the new objects as well
+as any compliant applications. For example:
+.PP
+.Vb 1
+\& [new_oids]
+\& 
+\& some_new_oid = 1.2.3.4
+\& some_other_oid = 1.2.3.5
+.Ve
+.PP
+In OpenSSL 0.9.8 it is also possible to set the value to the long name followed
+by a comma and the numerical \s-1OID\s0 form. For example:
+.PP
+.Vb 1
+\& shortName = some object long name, 1.2.3.4
+.Ve
+.SS "\s-1ENGINE CONFIGURATION MODULE\s0"
+.IX Subsection "ENGINE CONFIGURATION MODULE"
+This \s-1ENGINE\s0 configuration module has the name \fBengines\fR. The value of this
+variable points to a section containing further \s-1ENGINE\s0 configuration
+information.
+.PP
+The section pointed to by \fBengines\fR is a table of engine names (though see
+\&\fBengine_id\fR below) and further sections containing configuration informations
+specific to each \s-1ENGINE.\s0
+.PP
+Each \s-1ENGINE\s0 specific section is used to set default algorithms, load
+dynamic, perform initialization and send ctrls. The actual operation performed
+depends on the \fIcommand\fR name which is the name of the name value pair. The
+currently supported commands are listed below.
+.PP
+For example:
+.PP
+.Vb 1
+\& [engine_section]
+\&
+\& # Configure ENGINE named "foo"
+\& foo = foo_section
+\& # Configure ENGINE named "bar"
+\& bar = bar_section
+\&
+\& [foo_section]
+\& ... foo ENGINE specific commands ...
+\&
+\& [bar_section]
+\& ... "bar" ENGINE specific commands ...
+.Ve
+.PP
+The command \fBengine_id\fR is used to give the \s-1ENGINE\s0 name. If used this 
+command must be first. For example:
+.PP
+.Vb 3
+\& [engine_section]
+\& # This would normally handle an ENGINE named "foo"
+\& foo = foo_section
+\&
+\& [foo_section]
+\& # Override default name and use "myfoo" instead.
+\& engine_id = myfoo
+.Ve
+.PP
+The command \fBdynamic_path\fR loads and adds an \s-1ENGINE\s0 from the given path. It
+is equivalent to sending the ctrls \fB\s-1SO_PATH\s0\fR with the path argument followed
+by \fB\s-1LIST_ADD\s0\fR with value 2 and \fB\s-1LOAD\s0\fR to the dynamic \s-1ENGINE.\s0 If this is
+not the required behaviour then alternative ctrls can be sent directly
+to the dynamic \s-1ENGINE\s0 using ctrl commands.
+.PP
+The command \fBinit\fR determines whether to initialize the \s-1ENGINE.\s0 If the value
+is \fB0\fR the \s-1ENGINE\s0 will not be initialized, if \fB1\fR and attempt it made to
+initialized the \s-1ENGINE\s0 immediately. If the \fBinit\fR command is not present
+then an attempt will be made to initialize the \s-1ENGINE\s0 after all commands in
+its section have been processed.
+.PP
+The command \fBdefault_algorithms\fR sets the default algorithms an \s-1ENGINE\s0 will
+supply using the functions \fB\f(BIENGINE_set_default_string()\fB\fR
+.PP
+If the name matches none of the above command names it is assumed to be a
+ctrl command which is sent to the \s-1ENGINE.\s0 The value of the command is the 
+argument to the ctrl command. If the value is the string \fB\s-1EMPTY\s0\fR then no
+value is sent to the command.
+.PP
+For example:
+.PP
+.Vb 1
+\& [engine_section]
+\&
+\& # Configure ENGINE named "foo"
+\& foo = foo_section
+\&
+\& [foo_section]
+\& # Load engine from DSO
+\& dynamic_path = /some/path/fooengine.so
+\& # A foo specific ctrl.
+\& some_ctrl = some_value
+\& # Another ctrl that doesn\*(Aqt take a value.
+\& other_ctrl = EMPTY
+\& # Supply all default algorithms
+\& default_algorithms = ALL
+.Ve
+.SH "NOTES"
+.IX Header "NOTES"
+If a configuration file attempts to expand a variable that doesn't exist
+then an error is flagged and the file will not load. This can happen
+if an attempt is made to expand an environment variable that doesn't
+exist. For example in a previous version of OpenSSL the default OpenSSL
+master configuration file used the value of \fB\s-1HOME\s0\fR which may not be
+defined on non Unix systems and would cause an error.
+.PP
+This can be worked around by including a \fBdefault\fR section to provide
+a default value: then if the environment lookup fails the default value
+will be used instead. For this to work properly the default value must
+be defined earlier in the configuration file than the expansion. See
+the \fB\s-1EXAMPLES\s0\fR section for an example of how to do this.
+.PP
+If the same variable exists in the same section then all but the last
+value will be silently ignored. In certain circumstances such as with
+DNs the same field may occur multiple times. This is usually worked
+around by ignoring any characters before an initial \fB.\fR e.g.
+.PP
+.Vb 2
+\& 1.OU="My first OU"
+\& 2.OU="My Second OU"
+.Ve
+.SH "EXAMPLES"
+.IX Header "EXAMPLES"
+Here is a sample configuration file using some of the features
+mentioned above.
+.PP
+.Vb 1
+\& # This is the default section.
+\& 
+\& HOME=/temp
+\& RANDFILE= ${ENV::HOME}/.rnd
+\& configdir=$ENV::HOME/config
+\&
+\& [ section_one ]
+\&
+\& # We are now in section one.
+\&
+\& # Quotes permit leading and trailing whitespace
+\& any = " any variable name "
+\&
+\& other = A string that can \e
+\& cover several lines \e
+\& by including \e\e characters
+\&
+\& message = Hello World\en
+\&
+\& [ section_two ]
+\&
+\& greeting = $section_one::message
+.Ve
+.PP
+This next example shows how to expand environment variables safely.
+.PP
+Suppose you want a variable called \fBtmpfile\fR to refer to a
+temporary filename. The directory it is placed in can determined by
+the the \fB\s-1TEMP\s0\fR or \fB\s-1TMP\s0\fR environment variables but they may not be
+set to any value at all. If you just include the environment variable
+names and the variable doesn't exist then this will cause an error when
+an attempt is made to load the configuration file. By making use of the
+default section both values can be looked up with \fB\s-1TEMP\s0\fR taking 
+priority and \fB/tmp\fR used if neither is defined:
+.PP
+.Vb 5
+\& TMP=/tmp
+\& # The above value is used if TMP isn\*(Aqt in the environment
+\& TEMP=$ENV::TMP
+\& # The above value is used if TEMP isn\*(Aqt in the environment
+\& tmpfile=${ENV::TEMP}/tmp.filename
+.Ve
+.SH "BUGS"
+.IX Header "BUGS"
+Currently there is no way to include characters using the octal \fB\ennn\fR
+form. Strings are all null terminated so nulls cannot form part of
+the value.
+.PP
+The escaping isn't quite right: if you want to use sequences like \fB\en\fR
+you can't use any quote escaping on the same line.
+.PP
+Files are loaded in a single pass. This means that an variable expansion
+will only work if the variables referenced are defined earlier in the
+file.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fIx509\fR\|(1), \fIreq\fR\|(1), \fIca\fR\|(1)
diff --git a/usr/man/man5/x509v3_config.5 b/usr/man/man5/x509v3_config.5
new file mode 100755
index 000000000..faeffb89d
--- /dev/null
+++ b/usr/man/man5/x509v3_config.5
@@ -0,0 +1,610 @@
+.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
+.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
+.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
+.\" nothing in troff, for use with C<>.
+.tr \(*W-
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ========================================================================
+.\"
+.IX Title "X509V3_CONFIG 5"
+.TH X509V3_CONFIG 5 "2014-06-05" "0.9.8za" "OpenSSL"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH "NAME"
+x509v3_config \- X509 V3 certificate extension configuration format
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+Several of the OpenSSL utilities can add extensions to a certificate or
+certificate request based on the contents of a configuration file.
+.PP
+Typically the application will contain an option to point to an extension
+section. Each line of the extension section takes the form:
+.PP
+.Vb 1
+\& extension_name=[critical,] extension_options
+.Ve
+.PP
+If \fBcritical\fR is present then the extension will be critical.
+.PP
+The format of \fBextension_options\fR depends on the value of \fBextension_name\fR.
+.PP
+There are four main types of extension: \fIstring\fR extensions, \fImulti-valued\fR
+extensions, \fIraw\fR and \fIarbitrary\fR extensions.
+.PP
+String extensions simply have a string which contains either the value itself
+or how it is obtained.
+.PP
+For example:
+.PP
+.Vb 1
+\& nsComment="This is a Comment"
+.Ve
+.PP
+Multi-valued extensions have a short form and a long form. The short form
+is a list of names and values:
+.PP
+.Vb 1
+\& basicConstraints=critical,CA:true,pathlen:1
+.Ve
+.PP
+The long form allows the values to be placed in a separate section:
+.PP
+.Vb 1
+\& basicConstraints=critical,@bs_section
+\&
+\& [bs_section]
+\&
+\& CA=true
+\& pathlen=1
+.Ve
+.PP
+Both forms are equivalent.
+.PP
+The syntax of raw extensions is governed by the extension code: it can
+for example contain data in multiple sections. The correct syntax to
+use is defined by the extension code itself: check out the certificate
+policies extension for an example.
+.PP
+If an extension type is unsupported then the \fIarbitrary\fR extension syntax
+must be used, see the \s-1ARBITRART EXTENSIONS\s0 section for more details.
+.SH "STANDARD EXTENSIONS"
+.IX Header "STANDARD EXTENSIONS"
+The following sections describe each supported extension in detail.
+.SS "Basic Constraints."
+.IX Subsection "Basic Constraints."
+This is a multi valued extension which indicates whether a certificate is
+a \s-1CA\s0 certificate. The first (mandatory) name is \fB\s-1CA\s0\fR followed by \fB\s-1TRUE\s0\fR or
+\&\fB\s-1FALSE\s0\fR. If \fB\s-1CA\s0\fR is \fB\s-1TRUE\s0\fR then an optional \fBpathlen\fR name followed by an
+non-negative value can be included.
+.PP
+For example:
+.PP
+.Vb 1
+\& basicConstraints=CA:TRUE
+\&
+\& basicConstraints=CA:FALSE
+\&
+\& basicConstraints=critical,CA:TRUE, pathlen:0
+.Ve
+.PP
+A \s-1CA\s0 certificate \fBmust\fR include the basicConstraints value with the \s-1CA\s0 field
+set to \s-1TRUE.\s0 An end user certificate must either set \s-1CA\s0 to \s-1FALSE\s0 or exclude the
+extension entirely. Some software may require the inclusion of basicConstraints
+with \s-1CA\s0 set to \s-1FALSE\s0 for end entity certificates.
+.PP
+The pathlen parameter indicates the maximum number of CAs that can appear
+below this one in a chain. So if you have a \s-1CA\s0 with a pathlen of zero it can
+only be used to sign end user certificates and not further CAs.
+.SS "Key Usage."
+.IX Subsection "Key Usage."
+Key usage is a multi valued extension consisting of a list of names of the
+permitted key usages.
+.PP
+The supporte names are: digitalSignature, nonRepudiation, keyEncipherment,
+dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly
+and decipherOnly.
+.PP
+Examples:
+.PP
+.Vb 1
+\& keyUsage=digitalSignature, nonRepudiation
+\&
+\& keyUsage=critical, keyCertSign
+.Ve
+.SS "Extended Key Usage."
+.IX Subsection "Extended Key Usage."
+This extensions consists of a list of usages indicating purposes for which
+the certificate public key can be used for,
+.PP
+These can either be object short names of the dotted numerical form of OIDs.
+While any \s-1OID\s0 can be used only certain values make sense. In particular the
+following \s-1PKIX, NS\s0 and \s-1MS\s0 values are meaningful:
+.PP
+.Vb 10
+\& Value                  Meaning
+\& \-\-\-\-\-                  \-\-\-\-\-\-\-
+\& serverAuth             SSL/TLS Web Server Authentication.
+\& clientAuth             SSL/TLS Web Client Authentication.
+\& codeSigning            Code signing.
+\& emailProtection        E\-mail Protection (S/MIME).
+\& timeStamping           Trusted Timestamping
+\& msCodeInd              Microsoft Individual Code Signing (authenticode)
+\& msCodeCom              Microsoft Commercial Code Signing (authenticode)
+\& msCTLSign              Microsoft Trust List Signing
+\& msSGC                  Microsoft Server Gated Crypto
+\& msEFS                  Microsoft Encrypted File System
+\& nsSGC                  Netscape Server Gated Crypto
+.Ve
+.PP
+Examples:
+.PP
+.Vb 2
+\& extendedKeyUsage=critical,codeSigning,1.2.3.4
+\& extendedKeyUsage=nsSGC,msSGC
+.Ve
+.SS "Subject Key Identifier."
+.IX Subsection "Subject Key Identifier."
+This is really a string extension and can take two possible values. Either
+the word \fBhash\fR which will automatically follow the guidelines in \s-1RFC3280\s0
+or a hex string giving the extension value to include. The use of the hex
+string is strongly discouraged.
+.PP
+Example:
+.PP
+.Vb 1
+\& subjectKeyIdentifier=hash
+.Ve
+.SS "Authority Key Identifier."
+.IX Subsection "Authority Key Identifier."
+The authority key identifier extension permits two options. keyid and issuer:
+both can take the optional value \*(L"always\*(R".
+.PP
+If the keyid option is present an attempt is made to copy the subject key
+identifier from the parent certificate. If the value \*(L"always\*(R" is present
+then an error is returned if the option fails.
+.PP
+The issuer option copies the issuer and serial number from the issuer
+certificate. This will only be done if the keyid option fails or
+is not included unless the \*(L"always\*(R" flag will always include the value.
+.PP
+Example:
+.PP
+.Vb 1
+\& authorityKeyIdentifier=keyid,issuer
+.Ve
+.SS "Subject Alternative Name."
+.IX Subsection "Subject Alternative Name."
+The subject alternative name extension allows various literal values to be
+included in the configuration file. These include \fBemail\fR (an email address)
+\&\fB\s-1URI\s0\fR a uniform resource indicator, \fB\s-1DNS\s0\fR (a \s-1DNS\s0 domain name), \fB\s-1RID\s0\fR (a
+registered \s-1ID: OBJECT IDENTIFIER\s0), \fB\s-1IP\s0\fR (an \s-1IP\s0 address), \fBdirName\fR
+(a distinguished name) and otherName.
+.PP
+The email option include a special 'copy' value. This will automatically
+include and email addresses contained in the certificate subject name in
+the extension.
+.PP
+The \s-1IP\s0 address used in the \fB\s-1IP\s0\fR options can be in either IPv4 or IPv6 format.
+.PP
+The value of \fBdirName\fR should point to a section containing the distinguished
+name to use as a set of name value pairs. Multi values AVAs can be formed by
+preceeding the name with a \fB+\fR character.
+.PP
+otherName can include arbitrary data associated with an \s-1OID:\s0 the value
+should be the \s-1OID\s0 followed by a semicolon and the content in standard
+\&\fIASN1_generate_nconf()\fR format.
+.PP
+Examples:
+.PP
+.Vb 5
+\& subjectAltName=email:copy,email:my@other.address,URI:http://my.url.here/
+\& subjectAltName=IP:192.168.7.1
+\& subjectAltName=IP:13::17
+\& subjectAltName=email:my@other.address,RID:1.2.3.4
+\& subjectAltName=otherName:1.2.3.4;UTF8:some other identifier
+\&
+\& subjectAltName=dirName:dir_sect
+\&
+\& [dir_sect]
+\& C=UK
+\& O=My Organization
+\& OU=My Unit
+\& CN=My Name
+.Ve
+.SS "Issuer Alternative Name."
+.IX Subsection "Issuer Alternative Name."
+The issuer alternative name option supports all the literal options of
+subject alternative name. It does \fBnot\fR support the email:copy option because
+that would not make sense. It does support an additional issuer:copy option
+that will copy all the subject alternative name values from the issuer 
+certificate (if possible).
+.PP
+Example:
+.PP
+.Vb 1
+\& issuserAltName = issuer:copy
+.Ve
+.SS "Authority Info Access."
+.IX Subsection "Authority Info Access."
+The authority information access extension gives details about how to access
+certain information relating to the \s-1CA.\s0 Its syntax is accessOID;location
+where \fIlocation\fR has the same syntax as subject alternative name (except
+that email:copy is not supported). accessOID can be any valid \s-1OID\s0 but only
+certain values are meaningful, for example \s-1OCSP\s0 and caIssuers.
+.PP
+Example:
+.PP
+.Vb 2
+\& authorityInfoAccess = OCSP;URI:http://ocsp.my.host/
+\& authorityInfoAccess = caIssuers;URI:http://my.ca/ca.html
+.Ve
+.SS "\s-1CRL\s0 distribution points."
+.IX Subsection "CRL distribution points."
+This is a multi-valued extension that supports all the literal options of
+subject alternative name. Of the few software packages that currently interpret
+this extension most only interpret the \s-1URI\s0 option.
+.PP
+Currently each option will set a new DistributionPoint with the fullName
+field set to the given value.
+.PP
+Other fields like cRLissuer and reasons cannot currently be set or displayed:
+at this time no examples were available that used these fields.
+.PP
+Examples:
+.PP
+.Vb 2
+\& crlDistributionPoints=URI:http://myhost.com/myca.crl
+\& crlDistributionPoints=URI:http://my.com/my.crl,URI:http://oth.com/my.crl
+.Ve
+.SS "Certificate Policies."
+.IX Subsection "Certificate Policies."
+This is a \fIraw\fR extension. All the fields of this extension can be set by
+using the appropriate syntax.
+.PP
+If you follow the \s-1PKIX\s0 recommendations and just using one \s-1OID\s0 then you just
+include the value of that \s-1OID.\s0 Multiple OIDs can be set separated by commas,
+for example:
+.PP
+.Vb 1
+\& certificatePolicies= 1.2.4.5, 1.1.3.4
+.Ve
+.PP
+If you wish to include qualifiers then the policy \s-1OID\s0 and qualifiers need to
+be specified in a separate section: this is done by using the \f(CW@section\fR syntax
+instead of a literal \s-1OID\s0 value.
+.PP
+The section referred to must include the policy \s-1OID\s0 using the name
+policyIdentifier, cPSuri qualifiers can be included using the syntax:
+.PP
+.Vb 1
+\& CPS.nnn=value
+.Ve
+.PP
+userNotice qualifiers can be set using the syntax:
+.PP
+.Vb 1
+\& userNotice.nnn=@notice
+.Ve
+.PP
+The value of the userNotice qualifier is specified in the relevant section.
+This section can include explicitText, organization and noticeNumbers
+options. explicitText and organization are text strings, noticeNumbers is a
+comma separated list of numbers. The organization and noticeNumbers options
+(if included) must \s-1BOTH\s0 be present. If you use the userNotice option with \s-1IE5\s0
+then you need the 'ia5org' option at the top level to modify the encoding:
+otherwise it will not be interpreted properly.
+.PP
+Example:
+.PP
+.Vb 1
+\& certificatePolicies=ia5org,1.2.3.4,1.5.6.7.8,@polsect
+\&
+\& [polsect]
+\&
+\& policyIdentifier = 1.3.5.8
+\& CPS.1="http://my.host.name/"
+\& CPS.2="http://my.your.name/"
+\& userNotice.1=@notice
+\&
+\& [notice]
+\&
+\& explicitText="Explicit Text Here"
+\& organization="Organisation Name"
+\& noticeNumbers=1,2,3,4
+.Ve
+.PP
+The \fBia5org\fR option changes the type of the \fIorganization\fR field. In \s-1RFC2459\s0
+it can only be of type DisplayText. In \s-1RFC3280\s0 IA5Strring is also permissible.
+Some software (for example some versions of \s-1MSIE\s0) may require ia5org.
+.SS "Policy Constraints"
+.IX Subsection "Policy Constraints"
+This is a multi-valued extension which consisting of the names
+\&\fBrequireExplicitPolicy\fR or \fBinhibitPolicyMapping\fR and a non negative intger
+value. At least one component must be present.
+.PP
+Example:
+.PP
+.Vb 1
+\& policyConstraints = requireExplicitPolicy:3
+.Ve
+.SS "Inhibit Any Policy"
+.IX Subsection "Inhibit Any Policy"
+This is a string extension whose value must be a non negative integer.
+.PP
+Example:
+.PP
+.Vb 1
+\& inhibitAnyPolicy = 2
+.Ve
+.SS "Name Constraints"
+.IX Subsection "Name Constraints"
+The name constraints extension is a multi-valued extension. The name should
+begin with the word \fBpermitted\fR or \fBexcluded\fR followed by a \fB;\fR. The rest of
+the name and the value follows the syntax of subjectAltName except email:copy
+is not supported and the \fB\s-1IP\s0\fR form should consist of an \s-1IP\s0 addresses and 
+subnet mask separated by a \fB/\fR.
+.PP
+Examples:
+.PP
+.Vb 1
+\& nameConstraints=permitted;IP:192.168.0.0/255.255.0.0
+\&
+\& nameConstraints=permitted;email:.somedomain.com
+\&
+\& nameConstraints=excluded;email:.com
+.Ve
+.SH "DEPRECATED EXTENSIONS"
+.IX Header "DEPRECATED EXTENSIONS"
+The following extensions are non standard, Netscape specific and largely
+obsolete. Their use in new applications is discouraged.
+.SS "Netscape String extensions."
+.IX Subsection "Netscape String extensions."
+Netscape Comment (\fBnsComment\fR) is a string extension containing a comment
+which will be displayed when the certificate is viewed in some browsers.
+.PP
+Example:
+.PP
+.Vb 1
+\& nsComment = "Some Random Comment"
+.Ve
+.PP
+Other supported extensions in this category are: \fBnsBaseUrl\fR,
+\&\fBnsRevocationUrl\fR, \fBnsCaRevocationUrl\fR, \fBnsRenewalUrl\fR, \fBnsCaPolicyUrl\fR
+and \fBnsSslServerName\fR.
+.SS "Netscape Certificate Type"
+.IX Subsection "Netscape Certificate Type"
+This is a multi-valued extensions which consists of a list of flags to be
+included. It was used to indicate the purposes for which a certificate could
+be used. The basicConstraints, keyUsage and extended key usage extensions are
+now used instead.
+.PP
+Acceptable values for nsCertType are: \fBclient\fR, \fBserver\fR, \fBemail\fR,
+\&\fBobjsign\fR, \fBreserved\fR, \fBsslCA\fR, \fBemailCA\fR, \fBobjCA\fR.
+.SH "ARBITRARY EXTENSIONS"
+.IX Header "ARBITRARY EXTENSIONS"
+If an extension is not supported by the OpenSSL code then it must be encoded
+using the arbitrary extension format. It is also possible to use the arbitrary
+format for supported extensions. Extreme care should be taken to ensure that
+the data is formatted correctly for the given extension type.
+.PP
+There are two ways to encode arbitrary extensions.
+.PP
+The first way is to use the word \s-1ASN1\s0 followed by the extension content
+using the same syntax as \fIASN1_generate_nconf()\fR. For example:
+.PP
+.Vb 1
+\& 1.2.3.4=critical,ASN1:UTF8String:Some random data
+\&
+\& 1.2.3.4=ASN1:SEQUENCE:seq_sect
+\&
+\& [seq_sect]
+\&
+\& field1 = UTF8:field1
+\& field2 = UTF8:field2
+.Ve
+.PP
+It is also possible to use the word \s-1DER\s0 to include the raw encoded data in any
+extension.
+.PP
+.Vb 2
+\& 1.2.3.4=critical,DER:01:02:03:04
+\& 1.2.3.4=DER:01020304
+.Ve
+.PP
+The value following \s-1DER\s0 is a hex dump of the \s-1DER\s0 encoding of the extension
+Any extension can be placed in this form to override the default behaviour.
+For example:
+.PP
+.Vb 1
+\& basicConstraints=critical,DER:00:01:02:03
+.Ve
+.SH "WARNING"
+.IX Header "WARNING"
+There is no guarantee that a specific implementation will process a given
+extension. It may therefore be sometimes possible to use certificates for
+purposes prohibited by their extensions because a specific application does
+not recognize or honour the values of the relevant extensions.
+.PP
+The \s-1DER\s0 and \s-1ASN1\s0 options should be used with caution. It is possible to create
+totally invalid extensions if they are not used carefully.
+.SH "NOTES"
+.IX Header "NOTES"
+If an extension is multi-value and a field value must contain a comma the long
+form must be used otherwise the comma would be misinterpreted as a field
+separator. For example:
+.PP
+.Vb 1
+\& subjectAltName=URI:ldap://somehost.com/CN=foo,OU=bar
+.Ve
+.PP
+will produce an error but the equivalent form:
+.PP
+.Vb 1
+\& subjectAltName=@subject_alt_section
+\&
+\& [subject_alt_section]
+\& subjectAltName=URI:ldap://somehost.com/CN=foo,OU=bar
+.Ve
+.PP
+is valid.
+.PP
+Due to the behaviour of the OpenSSL \fBconf\fR library the same field name
+can only occur once in a section. This means that:
+.PP
+.Vb 1
+\& subjectAltName=@alt_section
+\&
+\& [alt_section]
+\&
+\& email=steve@here
+\& email=steve@there
+.Ve
+.PP
+will only recognize the last value. This can be worked around by using the form:
+.PP
+.Vb 1
+\& [alt_section]
+\&
+\& email.1=steve@here
+\& email.2=steve@there
+.Ve
+.SH "HISTORY"
+.IX Header "HISTORY"
+The X509v3 extension code was first added to OpenSSL 0.9.2.
+.PP
+Policy mappings, inhibit any policy and name constraints support was added in
+OpenSSL 0.9.8
+.PP
+The \fBdirectoryName\fR and \fBotherName\fR option as well as the \fB\s-1ASN1\s0\fR option
+for arbitrary extensions was added in OpenSSL 0.9.8
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fIreq\fR\|(1), \fIca\fR\|(1), \fIx509\fR\|(1)