pki: Add a note about constructing RFC 3779 compliant certificates to manpage

diff --git a/src/pki/man/pki---issue.1.in b/src/pki/man/pki---issue.1.in
index 3f9382e9ac686953f9a254b91caf261ca5beff84..d1fa3473fa1e91e30b4e60c94cd2f6e35e827a19 100644 (file)
--- a/src/pki/man/pki---issue.1.in
+++ b/src/pki/man/pki---issue.1.in
@@ -153,6 +153,9 @@ Set path length constraint.
 RFC 3779 address block to include in certificate. \fIblock\fR is either a
 CIDR subnet (such as \fI10.0.0.0/8\fR) or an arbitrary address range
 (\fI192.168.1.7-192.168.1.13\fR). Can be repeated to include multiple blocks.
+Please note that the supplied blocks are included in the certificate as is,
+so for standards compliance, multiple blocks must be supplied in correct
+order and adjacent blocks must be combined. Refer to RFC 3779 for details.
 .TP
 .BI "\-n, \-\-nc-permitted " name
 Add permitted NameConstraint extension to certificate. For DNS or email

diff --git a/src/pki/man/pki---self.1.in b/src/pki/man/pki---self.1.in
index ec38e6d48ce083abc20ccd25a40bb8f33244ec70..4384fa72dd52750feeeb52cf93976b4de645f294 100644 (file)
--- a/src/pki/man/pki---self.1.in
+++ b/src/pki/man/pki---self.1.in
@@ -132,6 +132,9 @@ Set path length constraint.
 RFC 3779 address block to include in certificate. \fIblock\fR is either a
 CIDR subnet (such as \fI10.0.0.0/8\fR) or an arbitrary address range
 (\fI192.168.1.7-192.168.1.13\fR). Can be repeated to include multiple blocks.
+Please note that the supplied blocks are included in the certificate as is,
+so for standards compliance, multiple blocks must be supplied in correct
+order and adjacent blocks must be combined. Refer to RFC 3779 for details.
 .TP
 .BI "\-n, \-\-nc-permitted " name
 Add permitted NameConstraint extension to certificate. For DNS or email