diff --git a/doc/hx509.texi b/doc/hx509.texi index b98f3128a..dcbbff59e 100644 --- a/doc/hx509.texi +++ b/doc/hx509.texi @@ -238,11 +238,12 @@ Setting up a CA @c * Issuing certificates:: * Creating a CA certificate:: * Issuing a server certificate:: -@c * Issuing a user certificate:: +* Issuing a user certificate:: @c * Issuing a proxy certificate:: @c * Creating a user certificate:: @c * Validating a certifiate:: @c * Validating a certifiate path:: +* Application requirements:: CMS signing and encryption @@ -366,7 +367,7 @@ hxtool issue-certificate \ --certificate="FILE:ca.pem" @end example -@node Issuing a server certificate, CMS signing and encryption, Creating a CA certificate, Top +@node Issuing a server certificate, Issuing a user certificate, Creating a CA certificate, Top @section Issuing a server certificate The first component should be a CN, and should contain the name of the @@ -392,8 +393,46 @@ hxtool issue-certificate \ --certificate="FILE:cert-ee.pem" @end example +@node Issuing a user certificate, Application requirements, Issuing a server certificate, Top +@section Issuing a user certificate -@node CMS signing and encryption, CMS background, Issuing a server certificate, Top +To issue a certificate to a user is usually quite simpler in terms of +that Extended Key Usage and Subect Altertive Names that is used. + +@node Application requirements, CMS signing and encryption, Issuing a user certificate, Top +@section Application requirements + +@subsection HTTPS + +@subsection Email + +@subsection PK-INIT + +@subsection XMPP/Jabber + +The server certificate should have a dNSname that is the same as the +user entered into the application, not the same as the hostname of the +machine. + +When storing a JID inside the certificate, both for server and client, +its stored inside a UTF8String within an otherName entity inside the +subjectAltName, using the OID id-on-xmppAddr (1.3.6.1.5.5.7.8.5). + +To read more about the requirements, see RFC3920, Extensible Messaging +and Presence Protocol (XMPP): Core. + +hxtool issue-certificate have support to add jid to the certificate +using the option --jid. + +@example +hxtool issue-certificate \ + --subject="cn=Love,dc=test,dc=h5l,dc=se" \ + --jid="lha@@test.h5l.se" \ + ... +@end example + + +@node CMS signing and encryption, CMS background, Application requirements, Top @chapter CMS signing and encryption CMS is the Cryptographic Message System that among other, is used by