pki: Add a note about constructing RFC 3779 compliant certificates to manpage

2 files changed, 6 insertions, 0 deletions

diff --git a/src/pki/man/pki---issue.1.in b/src/pki/man/pki---issue.1.in
index 3f9382e9a..d1fa3473f 100644
--- a/src/pki/man/pki---issue.1.in
+++ b/src/pki/man/pki---issue.1.in
@@ -153,6 +153,9 @@ Set path length constraint.
 RFC 3779 address block to include in certificate. \fIblock\fR is either a
 CIDR subnet (such as \fI10.0.0.0/8\fR) or an arbitrary address range
 (\fI192.168.1.7-192.168.1.13\fR). Can be repeated to include multiple blocks.
+Please note that the supplied blocks are included in the certificate as is,
+so for standards compliance, multiple blocks must be supplied in correct
+order and adjacent blocks must be combined. Refer to RFC 3779 for details.
 .TP
 .BI "\-n, \-\-nc-permitted " name
 Add permitted NameConstraint extension to certificate. For DNS or email
diff --git a/src/pki/man/pki---self.1.in b/src/pki/man/pki---self.1.in
index ec38e6d48..4384fa72d 100644
--- a/src/pki/man/pki---self.1.in
+++ b/src/pki/man/pki---self.1.in
@@ -132,6 +132,9 @@ Set path length constraint.
 RFC 3779 address block to include in certificate. \fIblock\fR is either a
 CIDR subnet (such as \fI10.0.0.0/8\fR) or an arbitrary address range
 (\fI192.168.1.7-192.168.1.13\fR). Can be repeated to include multiple blocks.
+Please note that the supplied blocks are included in the certificate as is,
+so for standards compliance, multiple blocks must be supplied in correct
+order and adjacent blocks must be combined. Refer to RFC 3779 for details.
 .TP
 .BI "\-n, \-\-nc-permitted " name
 Add permitted NameConstraint extension to certificate. For DNS or email