X509::extensions¶
Description¶
Returns the X509 extensions set on the specified X509 certificate. If
the certificate does not have any extensions, the output is “(no
extensions)”.
Syntax¶
X509::extensions <X509 certificate>
X509::extensions¶
- Returns the X509 extensions set on the specified X509 certificate. If the certificate does not have any extensions, the output is “(no extensions)”. If an invalid certificate is supplied, a runtime TCL error is generated.
Examples¶
when CLIENTSSL_CLIENTCERT {
set client_cert [SSL::cert 0]
log local0. "Client cert extensions - [X509::extensions $client_cert]"
# Split the X509::extensions output on each newline character and log the values
foreach item [split [X509::extensions [SSL::cert 0]] \n] {
log local0. "$item"
}
}
# Sample output from a client cert with an EKU for client authentication (1.3.6.1.5.5.7.3.2, clientAuth):
<CLIENTSSL_CLIENTCERT>: Client cert extensions - X509v3 Extended Key Usage: TLS Web Client Authentication
<CLIENTSSL_CLIENTCERT>: X509v3 extensions:
<CLIENTSSL_CLIENTCERT>: X509v3 Extended Key Usage:
<CLIENTSSL_CLIENTCERT>: TLS Web Client Authentication
# Sample output from a client cert with no extensions:
<CLIENTSSL_CLIENTCERT>: Client cert extensions - (no extensions)
# Runtime TCL error when an invalid string is supplied instead of an SSL certificate:
01220001:3: TCL error: client_cert_ext_rule <CLIENTSSL_CLIENTCERT> - while executing "X509::extensions xx"