x509v3_config.pod revision 269686
1160814Ssimon=pod 2160814Ssimon 3160814Ssimon=for comment openssl_manual_section:5 4160814Ssimon 5160814Ssimon=head1 NAME 6160814Ssimon 7160814Ssimonx509v3_config - X509 V3 certificate extension configuration format 8160814Ssimon 9160814Ssimon=head1 DESCRIPTION 10160814Ssimon 11160814SsimonSeveral of the OpenSSL utilities can add extensions to a certificate or 12160814Ssimoncertificate request based on the contents of a configuration file. 13160814Ssimon 14160814SsimonTypically the application will contain an option to point to an extension 15160814Ssimonsection. Each line of the extension section takes the form: 16160814Ssimon 17160814Ssimon extension_name=[critical,] extension_options 18160814Ssimon 19160814SsimonIf B<critical> is present then the extension will be critical. 20160814Ssimon 21160814SsimonThe format of B<extension_options> depends on the value of B<extension_name>. 22160814Ssimon 23160814SsimonThere are four main types of extension: I<string> extensions, I<multi-valued> 24160814Ssimonextensions, I<raw> and I<arbitrary> extensions. 25160814Ssimon 26160814SsimonString extensions simply have a string which contains either the value itself 27160814Ssimonor how it is obtained. 28160814Ssimon 29160814SsimonFor example: 30160814Ssimon 31160814Ssimon nsComment="This is a Comment" 32160814Ssimon 33160814SsimonMulti-valued extensions have a short form and a long form. The short form 34160814Ssimonis a list of names and values: 35160814Ssimon 36160814Ssimon basicConstraints=critical,CA:true,pathlen:1 37160814Ssimon 38160814SsimonThe long form allows the values to be placed in a separate section: 39160814Ssimon 40160814Ssimon basicConstraints=critical,@bs_section 41160814Ssimon 42160814Ssimon [bs_section] 43160814Ssimon 44160814Ssimon CA=true 45160814Ssimon pathlen=1 46160814Ssimon 47160814SsimonBoth forms are equivalent. 48160814Ssimon 49160814SsimonThe syntax of raw extensions is governed by the extension code: it can 50160814Ssimonfor example contain data in multiple sections. The correct syntax to 51160814Ssimonuse is defined by the extension code itself: check out the certificate 52160814Ssimonpolicies extension for an example. 53160814Ssimon 54160814SsimonIf an extension type is unsupported then the I<arbitrary> extension syntax 55238405Sjkimmust be used, see the L<ARBITRARY EXTENSIONS|/"ARBITRARY EXTENSIONS"> section for more details. 56160814Ssimon 57160814Ssimon=head1 STANDARD EXTENSIONS 58160814Ssimon 59160814SsimonThe following sections describe each supported extension in detail. 60160814Ssimon 61160814Ssimon=head2 Basic Constraints. 62160814Ssimon 63160814SsimonThis is a multi valued extension which indicates whether a certificate is 64160814Ssimona CA certificate. The first (mandatory) name is B<CA> followed by B<TRUE> or 65160814SsimonB<FALSE>. If B<CA> is B<TRUE> then an optional B<pathlen> name followed by an 66160814Ssimonnon-negative value can be included. 67160814Ssimon 68160814SsimonFor example: 69160814Ssimon 70160814Ssimon basicConstraints=CA:TRUE 71160814Ssimon 72160814Ssimon basicConstraints=CA:FALSE 73160814Ssimon 74160814Ssimon basicConstraints=critical,CA:TRUE, pathlen:0 75160814Ssimon 76160814SsimonA CA certificate B<must> include the basicConstraints value with the CA field 77160814Ssimonset to TRUE. An end user certificate must either set CA to FALSE or exclude the 78160814Ssimonextension entirely. Some software may require the inclusion of basicConstraints 79160814Ssimonwith CA set to FALSE for end entity certificates. 80160814Ssimon 81160814SsimonThe pathlen parameter indicates the maximum number of CAs that can appear 82160814Ssimonbelow this one in a chain. So if you have a CA with a pathlen of zero it can 83160814Ssimononly be used to sign end user certificates and not further CAs. 84160814Ssimon 85160814Ssimon 86160814Ssimon=head2 Key Usage. 87160814Ssimon 88160814SsimonKey usage is a multi valued extension consisting of a list of names of the 89160814Ssimonpermitted key usages. 90160814Ssimon 91160814SsimonThe supporte names are: digitalSignature, nonRepudiation, keyEncipherment, 92160814SsimondataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly 93160814Ssimonand decipherOnly. 94160814Ssimon 95160814SsimonExamples: 96160814Ssimon 97160814Ssimon keyUsage=digitalSignature, nonRepudiation 98160814Ssimon 99160814Ssimon keyUsage=critical, keyCertSign 100160814Ssimon 101160814Ssimon 102160814Ssimon=head2 Extended Key Usage. 103160814Ssimon 104160814SsimonThis extensions consists of a list of usages indicating purposes for which 105160814Ssimonthe certificate public key can be used for, 106160814Ssimon 107160814SsimonThese can either be object short names of the dotted numerical form of OIDs. 108160814SsimonWhile any OID can be used only certain values make sense. In particular the 109160814Ssimonfollowing PKIX, NS and MS values are meaningful: 110160814Ssimon 111160814Ssimon Value Meaning 112160814Ssimon ----- ------- 113160814Ssimon serverAuth SSL/TLS Web Server Authentication. 114160814Ssimon clientAuth SSL/TLS Web Client Authentication. 115160814Ssimon codeSigning Code signing. 116160814Ssimon emailProtection E-mail Protection (S/MIME). 117160814Ssimon timeStamping Trusted Timestamping 118160814Ssimon msCodeInd Microsoft Individual Code Signing (authenticode) 119160814Ssimon msCodeCom Microsoft Commercial Code Signing (authenticode) 120160814Ssimon msCTLSign Microsoft Trust List Signing 121160814Ssimon msSGC Microsoft Server Gated Crypto 122160814Ssimon msEFS Microsoft Encrypted File System 123160814Ssimon nsSGC Netscape Server Gated Crypto 124160814Ssimon 125160814SsimonExamples: 126160814Ssimon 127160814Ssimon extendedKeyUsage=critical,codeSigning,1.2.3.4 128160814Ssimon extendedKeyUsage=nsSGC,msSGC 129160814Ssimon 130160814Ssimon 131160814Ssimon=head2 Subject Key Identifier. 132160814Ssimon 133160814SsimonThis is really a string extension and can take two possible values. Either 134160814Ssimonthe word B<hash> which will automatically follow the guidelines in RFC3280 135160814Ssimonor a hex string giving the extension value to include. The use of the hex 136160814Ssimonstring is strongly discouraged. 137160814Ssimon 138160814SsimonExample: 139160814Ssimon 140160814Ssimon subjectKeyIdentifier=hash 141160814Ssimon 142160814Ssimon 143160814Ssimon=head2 Authority Key Identifier. 144160814Ssimon 145160814SsimonThe authority key identifier extension permits two options. keyid and issuer: 146160814Ssimonboth can take the optional value "always". 147160814Ssimon 148160814SsimonIf the keyid option is present an attempt is made to copy the subject key 149160814Ssimonidentifier from the parent certificate. If the value "always" is present 150160814Ssimonthen an error is returned if the option fails. 151160814Ssimon 152160814SsimonThe issuer option copies the issuer and serial number from the issuer 153160814Ssimoncertificate. This will only be done if the keyid option fails or 154160814Ssimonis not included unless the "always" flag will always include the value. 155160814Ssimon 156160814SsimonExample: 157160814Ssimon 158160814Ssimon authorityKeyIdentifier=keyid,issuer 159160814Ssimon 160160814Ssimon 161160814Ssimon=head2 Subject Alternative Name. 162160814Ssimon 163160814SsimonThe subject alternative name extension allows various literal values to be 164160814Ssimonincluded in the configuration file. These include B<email> (an email address) 165160814SsimonB<URI> a uniform resource indicator, B<DNS> (a DNS domain name), B<RID> (a 166160814Ssimonregistered ID: OBJECT IDENTIFIER), B<IP> (an IP address), B<dirName> 167160814Ssimon(a distinguished name) and otherName. 168160814Ssimon 169160814SsimonThe email option include a special 'copy' value. This will automatically 170160814Ssimoninclude and email addresses contained in the certificate subject name in 171160814Ssimonthe extension. 172160814Ssimon 173160814SsimonThe IP address used in the B<IP> options can be in either IPv4 or IPv6 format. 174160814Ssimon 175160814SsimonThe value of B<dirName> should point to a section containing the distinguished 176160814Ssimonname to use as a set of name value pairs. Multi values AVAs can be formed by 177269686Sjkimprefacing the name with a B<+> character. 178160814Ssimon 179160814SsimonotherName can include arbitrary data associated with an OID: the value 180160814Ssimonshould be the OID followed by a semicolon and the content in standard 181238405SjkimL<ASN1_generate_nconf(3)|ASN1_generate_nconf(3)> format. 182160814Ssimon 183160814SsimonExamples: 184160814Ssimon 185160814Ssimon subjectAltName=email:copy,email:my@other.address,URI:http://my.url.here/ 186160814Ssimon subjectAltName=IP:192.168.7.1 187160814Ssimon subjectAltName=IP:13::17 188160814Ssimon subjectAltName=email:my@other.address,RID:1.2.3.4 189160814Ssimon subjectAltName=otherName:1.2.3.4;UTF8:some other identifier 190160814Ssimon 191160814Ssimon subjectAltName=dirName:dir_sect 192160814Ssimon 193160814Ssimon [dir_sect] 194160814Ssimon C=UK 195160814Ssimon O=My Organization 196160814Ssimon OU=My Unit 197160814Ssimon CN=My Name 198160814Ssimon 199160814Ssimon 200160814Ssimon=head2 Issuer Alternative Name. 201160814Ssimon 202160814SsimonThe issuer alternative name option supports all the literal options of 203160814Ssimonsubject alternative name. It does B<not> support the email:copy option because 204160814Ssimonthat would not make sense. It does support an additional issuer:copy option 205160814Ssimonthat will copy all the subject alternative name values from the issuer 206160814Ssimoncertificate (if possible). 207160814Ssimon 208160814SsimonExample: 209160814Ssimon 210160814Ssimon issuserAltName = issuer:copy 211160814Ssimon 212160814Ssimon 213160814Ssimon=head2 Authority Info Access. 214160814Ssimon 215160814SsimonThe authority information access extension gives details about how to access 216160814Ssimoncertain information relating to the CA. Its syntax is accessOID;location 217160814Ssimonwhere I<location> has the same syntax as subject alternative name (except 218160814Ssimonthat email:copy is not supported). accessOID can be any valid OID but only 219160814Ssimoncertain values are meaningful, for example OCSP and caIssuers. 220160814Ssimon 221160814SsimonExample: 222160814Ssimon 223160814Ssimon authorityInfoAccess = OCSP;URI:http://ocsp.my.host/ 224160814Ssimon authorityInfoAccess = caIssuers;URI:http://my.ca/ca.html 225160814Ssimon 226160814Ssimon 227160814Ssimon=head2 CRL distribution points. 228160814Ssimon 229238405SjkimThis is a multi-valued extension whose options can be either in name:value pair 230238405Sjkimusing the same form as subject alternative name or a single value representing 231238405Sjkima section name containing all the distribution point fields. 232160814Ssimon 233238405SjkimFor a name:value pair a new DistributionPoint with the fullName field set to 234238405Sjkimthe given value both the cRLissuer and reasons fields are omitted in this case. 235160814Ssimon 236238405SjkimIn the single option case the section indicated contains values for each 237238405Sjkimfield. In this section: 238160814Ssimon 239238405SjkimIf the name is "fullname" the value field should contain the full name 240238405Sjkimof the distribution point in the same format as subject alternative name. 241160814Ssimon 242238405SjkimIf the name is "relativename" then the value field should contain a section 243238405Sjkimname whose contents represent a DN fragment to be placed in this field. 244238405Sjkim 245238405SjkimThe name "CRLIssuer" if present should contain a value for this field in 246238405Sjkimsubject alternative name format. 247238405Sjkim 248238405SjkimIf the name is "reasons" the value field should consist of a comma 249238405Sjkimseparated field containing the reasons. Valid reasons are: "keyCompromise", 250238405Sjkim"CACompromise", "affiliationChanged", "superseded", "cessationOfOperation", 251238405Sjkim"certificateHold", "privilegeWithdrawn" and "AACompromise". 252238405Sjkim 253238405Sjkim 254238405SjkimSimple examples: 255238405Sjkim 256160814Ssimon crlDistributionPoints=URI:http://myhost.com/myca.crl 257160814Ssimon crlDistributionPoints=URI:http://my.com/my.crl,URI:http://oth.com/my.crl 258160814Ssimon 259238405SjkimFull distribution point example: 260238405Sjkim 261238405Sjkim crlDistributionPoints=crldp1_section 262238405Sjkim 263238405Sjkim [crldp1_section] 264238405Sjkim 265238405Sjkim fullname=URI:http://myhost.com/myca.crl 266238405Sjkim CRLissuer=dirName:issuer_sect 267238405Sjkim reasons=keyCompromise, CACompromise 268238405Sjkim 269238405Sjkim [issuer_sect] 270238405Sjkim C=UK 271238405Sjkim O=Organisation 272238405Sjkim CN=Some Name 273238405Sjkim 274238405Sjkim=head2 Issuing Distribution Point 275238405Sjkim 276238405SjkimThis extension should only appear in CRLs. It is a multi valued extension 277238405Sjkimwhose syntax is similar to the "section" pointed to by the CRL distribution 278238405Sjkimpoints extension with a few differences. 279238405Sjkim 280238405SjkimThe names "reasons" and "CRLissuer" are not recognized. 281238405Sjkim 282238405SjkimThe name "onlysomereasons" is accepted which sets this field. The value is 283238405Sjkimin the same format as the CRL distribution point "reasons" field. 284238405Sjkim 285238405SjkimThe names "onlyuser", "onlyCA", "onlyAA" and "indirectCRL" are also accepted 286238405Sjkimthe values should be a boolean value (TRUE or FALSE) to indicate the value of 287238405Sjkimthe corresponding field. 288238405Sjkim 289238405SjkimExample: 290238405Sjkim 291238405Sjkim issuingDistributionPoint=critical, @idp_section 292238405Sjkim 293238405Sjkim [idp_section] 294238405Sjkim 295238405Sjkim fullname=URI:http://myhost.com/myca.crl 296238405Sjkim indirectCRL=TRUE 297238405Sjkim onlysomereasons=keyCompromise, CACompromise 298238405Sjkim 299238405Sjkim [issuer_sect] 300238405Sjkim C=UK 301238405Sjkim O=Organisation 302238405Sjkim CN=Some Name 303238405Sjkim 304267258Sjkim 305160814Ssimon=head2 Certificate Policies. 306160814Ssimon 307160814SsimonThis is a I<raw> extension. All the fields of this extension can be set by 308160814Ssimonusing the appropriate syntax. 309160814Ssimon 310160814SsimonIf you follow the PKIX recommendations and just using one OID then you just 311160814Ssimoninclude the value of that OID. Multiple OIDs can be set separated by commas, 312160814Ssimonfor example: 313160814Ssimon 314160814Ssimon certificatePolicies= 1.2.4.5, 1.1.3.4 315160814Ssimon 316160814SsimonIf you wish to include qualifiers then the policy OID and qualifiers need to 317160814Ssimonbe specified in a separate section: this is done by using the @section syntax 318160814Ssimoninstead of a literal OID value. 319160814Ssimon 320160814SsimonThe section referred to must include the policy OID using the name 321160814SsimonpolicyIdentifier, cPSuri qualifiers can be included using the syntax: 322160814Ssimon 323160814Ssimon CPS.nnn=value 324160814Ssimon 325160814SsimonuserNotice qualifiers can be set using the syntax: 326160814Ssimon 327160814Ssimon userNotice.nnn=@notice 328160814Ssimon 329160814SsimonThe value of the userNotice qualifier is specified in the relevant section. 330160814SsimonThis section can include explicitText, organization and noticeNumbers 331160814Ssimonoptions. explicitText and organization are text strings, noticeNumbers is a 332160814Ssimoncomma separated list of numbers. The organization and noticeNumbers options 333160814Ssimon(if included) must BOTH be present. If you use the userNotice option with IE5 334160814Ssimonthen you need the 'ia5org' option at the top level to modify the encoding: 335160814Ssimonotherwise it will not be interpreted properly. 336160814Ssimon 337160814SsimonExample: 338160814Ssimon 339160814Ssimon certificatePolicies=ia5org,1.2.3.4,1.5.6.7.8,@polsect 340160814Ssimon 341160814Ssimon [polsect] 342160814Ssimon 343160814Ssimon policyIdentifier = 1.3.5.8 344160814Ssimon CPS.1="http://my.host.name/" 345160814Ssimon CPS.2="http://my.your.name/" 346160814Ssimon userNotice.1=@notice 347160814Ssimon 348160814Ssimon [notice] 349160814Ssimon 350160814Ssimon explicitText="Explicit Text Here" 351160814Ssimon organization="Organisation Name" 352160814Ssimon noticeNumbers=1,2,3,4 353160814Ssimon 354160814SsimonThe B<ia5org> option changes the type of the I<organization> field. In RFC2459 355160814Ssimonit can only be of type DisplayText. In RFC3280 IA5Strring is also permissible. 356160814SsimonSome software (for example some versions of MSIE) may require ia5org. 357160814Ssimon 358160814Ssimon=head2 Policy Constraints 359160814Ssimon 360160814SsimonThis is a multi-valued extension which consisting of the names 361160814SsimonB<requireExplicitPolicy> or B<inhibitPolicyMapping> and a non negative intger 362160814Ssimonvalue. At least one component must be present. 363160814Ssimon 364160814SsimonExample: 365160814Ssimon 366160814Ssimon policyConstraints = requireExplicitPolicy:3 367160814Ssimon 368160814Ssimon 369160814Ssimon=head2 Inhibit Any Policy 370160814Ssimon 371160814SsimonThis is a string extension whose value must be a non negative integer. 372160814Ssimon 373160814SsimonExample: 374160814Ssimon 375160814Ssimon inhibitAnyPolicy = 2 376160814Ssimon 377160814Ssimon 378160814Ssimon=head2 Name Constraints 379160814Ssimon 380160814SsimonThe name constraints extension is a multi-valued extension. The name should 381160814Ssimonbegin with the word B<permitted> or B<excluded> followed by a B<;>. The rest of 382160814Ssimonthe name and the value follows the syntax of subjectAltName except email:copy 383160814Ssimonis not supported and the B<IP> form should consist of an IP addresses and 384160814Ssimonsubnet mask separated by a B</>. 385160814Ssimon 386160814SsimonExamples: 387160814Ssimon 388160814Ssimon nameConstraints=permitted;IP:192.168.0.0/255.255.0.0 389160814Ssimon 390160814Ssimon nameConstraints=permitted;email:.somedomain.com 391160814Ssimon 392160814Ssimon nameConstraints=excluded;email:.com 393160814Ssimon 394267258Sjkim 395238405Sjkim=head2 OCSP No Check 396238405Sjkim 397238405SjkimThe OCSP No Check extension is a string extension but its value is ignored. 398238405Sjkim 399238405SjkimExample: 400238405Sjkim 401238405Sjkim noCheck = ignored 402238405Sjkim 403238405Sjkim 404160814Ssimon=head1 DEPRECATED EXTENSIONS 405160814Ssimon 406160814SsimonThe following extensions are non standard, Netscape specific and largely 407160814Ssimonobsolete. Their use in new applications is discouraged. 408160814Ssimon 409160814Ssimon=head2 Netscape String extensions. 410160814Ssimon 411160814SsimonNetscape Comment (B<nsComment>) is a string extension containing a comment 412160814Ssimonwhich will be displayed when the certificate is viewed in some browsers. 413160814Ssimon 414160814SsimonExample: 415160814Ssimon 416160814Ssimon nsComment = "Some Random Comment" 417160814Ssimon 418160814SsimonOther supported extensions in this category are: B<nsBaseUrl>, 419160814SsimonB<nsRevocationUrl>, B<nsCaRevocationUrl>, B<nsRenewalUrl>, B<nsCaPolicyUrl> 420160814Ssimonand B<nsSslServerName>. 421160814Ssimon 422160814Ssimon 423160814Ssimon=head2 Netscape Certificate Type 424160814Ssimon 425160814SsimonThis is a multi-valued extensions which consists of a list of flags to be 426160814Ssimonincluded. It was used to indicate the purposes for which a certificate could 427160814Ssimonbe used. The basicConstraints, keyUsage and extended key usage extensions are 428160814Ssimonnow used instead. 429160814Ssimon 430160814SsimonAcceptable values for nsCertType are: B<client>, B<server>, B<email>, 431160814SsimonB<objsign>, B<reserved>, B<sslCA>, B<emailCA>, B<objCA>. 432160814Ssimon 433160814Ssimon 434160814Ssimon=head1 ARBITRARY EXTENSIONS 435160814Ssimon 436160814SsimonIf an extension is not supported by the OpenSSL code then it must be encoded 437160814Ssimonusing the arbitrary extension format. It is also possible to use the arbitrary 438160814Ssimonformat for supported extensions. Extreme care should be taken to ensure that 439160814Ssimonthe data is formatted correctly for the given extension type. 440160814Ssimon 441160814SsimonThere are two ways to encode arbitrary extensions. 442160814Ssimon 443160814SsimonThe first way is to use the word ASN1 followed by the extension content 444238405Sjkimusing the same syntax as L<ASN1_generate_nconf(3)|ASN1_generate_nconf(3)>. 445238405SjkimFor example: 446160814Ssimon 447160814Ssimon 1.2.3.4=critical,ASN1:UTF8String:Some random data 448160814Ssimon 449160814Ssimon 1.2.3.4=ASN1:SEQUENCE:seq_sect 450160814Ssimon 451160814Ssimon [seq_sect] 452160814Ssimon 453160814Ssimon field1 = UTF8:field1 454160814Ssimon field2 = UTF8:field2 455160814Ssimon 456160814SsimonIt is also possible to use the word DER to include the raw encoded data in any 457160814Ssimonextension. 458160814Ssimon 459160814Ssimon 1.2.3.4=critical,DER:01:02:03:04 460160814Ssimon 1.2.3.4=DER:01020304 461160814Ssimon 462160814SsimonThe value following DER is a hex dump of the DER encoding of the extension 463160814SsimonAny extension can be placed in this form to override the default behaviour. 464160814SsimonFor example: 465160814Ssimon 466160814Ssimon basicConstraints=critical,DER:00:01:02:03 467160814Ssimon 468160814Ssimon=head1 WARNING 469160814Ssimon 470160814SsimonThere is no guarantee that a specific implementation will process a given 471160814Ssimonextension. It may therefore be sometimes possible to use certificates for 472160814Ssimonpurposes prohibited by their extensions because a specific application does 473160814Ssimonnot recognize or honour the values of the relevant extensions. 474160814Ssimon 475160814SsimonThe DER and ASN1 options should be used with caution. It is possible to create 476160814Ssimontotally invalid extensions if they are not used carefully. 477160814Ssimon 478160814Ssimon 479160814Ssimon=head1 NOTES 480160814Ssimon 481160814SsimonIf an extension is multi-value and a field value must contain a comma the long 482160814Ssimonform must be used otherwise the comma would be misinterpreted as a field 483160814Ssimonseparator. For example: 484160814Ssimon 485160814Ssimon subjectAltName=URI:ldap://somehost.com/CN=foo,OU=bar 486160814Ssimon 487160814Ssimonwill produce an error but the equivalent form: 488160814Ssimon 489160814Ssimon subjectAltName=@subject_alt_section 490160814Ssimon 491160814Ssimon [subject_alt_section] 492160814Ssimon subjectAltName=URI:ldap://somehost.com/CN=foo,OU=bar 493160814Ssimon 494160814Ssimonis valid. 495160814Ssimon 496160814SsimonDue to the behaviour of the OpenSSL B<conf> library the same field name 497160814Ssimoncan only occur once in a section. This means that: 498160814Ssimon 499160814Ssimon subjectAltName=@alt_section 500160814Ssimon 501160814Ssimon [alt_section] 502160814Ssimon 503160814Ssimon email=steve@here 504160814Ssimon email=steve@there 505160814Ssimon 506160814Ssimonwill only recognize the last value. This can be worked around by using the form: 507160814Ssimon 508160814Ssimon [alt_section] 509160814Ssimon 510160814Ssimon email.1=steve@here 511160814Ssimon email.2=steve@there 512160814Ssimon 513160814Ssimon=head1 HISTORY 514160814Ssimon 515160814SsimonThe X509v3 extension code was first added to OpenSSL 0.9.2. 516160814Ssimon 517160814SsimonPolicy mappings, inhibit any policy and name constraints support was added in 518160814SsimonOpenSSL 0.9.8 519160814Ssimon 520160814SsimonThe B<directoryName> and B<otherName> option as well as the B<ASN1> option 521160814Ssimonfor arbitrary extensions was added in OpenSSL 0.9.8 522160814Ssimon 523160814Ssimon=head1 SEE ALSO 524160814Ssimon 525238405SjkimL<req(1)|req(1)>, L<ca(1)|ca(1)>, L<x509(1)|x509(1)>, 526238405SjkimL<ASN1_generate_nconf(3)|ASN1_generate_nconf(3)> 527160814Ssimon 528160814Ssimon 529160814Ssimon=cut 530