The branch master has been updated
via ccbf3f90c46cee9b2ca38f9a6c797c838738d8af (commit)
from 4605c5ab4796e99a207ab54d31bb8d2b5e42f1ca (commit)
- Log -----------------------------------------------------------------
commit ccbf3f90c46cee9b2ca38f9a6c797c838738d8af
Author: Richard Levitte <levi...@openssl.org>
Date: Sat Nov 14 22:38:37 2020 +0100
DOC: Fixup the description of the -x509_strict option
POD commands must always be surrounded by blank lines
POD transformers read everything in paragraph mode. The following
lines become *one* command, where the second line becomes part of the
text of the first, including the command itself. In other words,
this:
=item something
=item something else
Translates to this in a man-page:
something =item something else
Reviewed-by: David von Oheimb <david.von.ohe...@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/13412)
-----------------------------------------------------------------------
Summary of changes:
doc/man1/openssl.pod | 64 +++++++++++++++++++++++++++++++++++++++-------------
1 file changed, 48 insertions(+), 16 deletions(-)
diff --git a/doc/man1/openssl.pod b/doc/man1/openssl.pod
index 4789be46ef..bd3a9db226 100644
--- a/doc/man1/openssl.pod
+++ b/doc/man1/openssl.pod
@@ -887,22 +887,54 @@ Thus errors are thrown on certificates not compliant with
RFC 5280.
When this option is set,
among others, the following certificate well-formedness conditions are checked:
-=over 8
-
-=item The basicConstraints of CA certificates must be marked critical.
-=item CA certificates must explicitly include the keyUsage extension.
-=item If a pathlenConstraint is given the key usage keyCertSign must be
allowed.
-=item The pathlenConstraint must not be given for non-CA certificates.
-=item The issuer name of any certificate must not be empty.
-=item The subject name of CA certs, certs with keyUsage crlSign,
- and certs without subjectAlternativeName must not be empty.
-=item If a subjectAlternativeName extension is given it must not be empty.
-=item The signatureAlgorithm field and the cert signature must be consistent.
-=item Any given authorityKeyIdentifier and any given subjectKeyIdentifier
- must not be marked critical.
-=item The authorityKeyIdentifier must be given for X.509v3 certs
- unless they are self-signed.
-=item The subjectKeyIdentifier must be given for all X.509v3 CA certs.
+=over 4
+
+=item -
+
+The basicConstraints of CA certificates must be marked critical.
+
+=item -
+
+CA certificates must explicitly include the keyUsage extension.
+
+=item -
+
+If a pathlenConstraint is given the key usage keyCertSign must be allowed.
+
+=item -
+
+The pathlenConstraint must not be given for non-CA certificates.
+
+=item -
+
+The issuer name of any certificate must not be empty.
+
+=item -
+
+The subject name of CA certs, certs with keyUsage crlSign, and certs
+without subjectAlternativeName must not be empty.
+
+=item -
+
+If a subjectAlternativeName extension is given it must not be empty.
+
+=item -
+
+The signatureAlgorithm field and the cert signature must be consistent.
+
+=item -
+
+Any given authorityKeyIdentifier and any given subjectKeyIdentifier
+must not be marked critical.
+
+=item -
+
+The authorityKeyIdentifier must be given for X.509v3 certs unless they
+are self-signed.
+
+=item -
+
+The subjectKeyIdentifier must be given for all X.509v3 CA certs.
=back
