X509::extensions

Description

Returns the X509 extensions set on the specified X509 certificate. If the certificate does not have any extensions, the output is “(no extensions)”.

Syntax

X509::extensions <X509 certificate>

X509::extensions

  • Returns the X509 extensions set on the specified X509 certificate. If the certificate does not have any extensions, the output is “(no extensions)”. If an invalid certificate is supplied, a runtime TCL error is generated.

Examples

when CLIENTSSL_CLIENTCERT {
  set client_cert [SSL::cert 0]
  log local0. "Client cert extensions - [X509::extensions $client_cert]"

  # Split the X509::extensions output on each newline character and log the values
  foreach item [split [X509::extensions [SSL::cert 0]] \n] {
    log local0. "$item"
  }
}
# Sample output from a client cert with an EKU for client authentication (1.3.6.1.5.5.7.3.2, clientAuth):
<CLIENTSSL_CLIENTCERT>: Client cert extensions - X509v3 Extended Key Usage:          TLS Web Client Authentication
<CLIENTSSL_CLIENTCERT>: X509v3 extensions:
<CLIENTSSL_CLIENTCERT>:     X509v3 Extended Key Usage:
<CLIENTSSL_CLIENTCERT>:         TLS Web Client Authentication

# Sample output from a client cert with no extensions:
<CLIENTSSL_CLIENTCERT>: Client cert extensions - (no extensions)

# Runtime TCL error when an invalid string is supplied instead of an SSL certificate:
01220001:3: TCL error: client_cert_ext_rule <CLIENTSSL_CLIENTCERT> -      while executing "X509::extensions xx"