diff options
author | jim-p <jimp@pfsense.org> | 2011-11-09 15:43:49 -0500 |
---|---|---|
committer | jim-p <jimp@pfsense.org> | 2011-11-09 15:45:21 -0500 |
commit | 77a888140bd834514e199757f38656cc0ab0ee94 (patch) | |
tree | 239f8ab0ee15e62d63e2df0828fe11f1f2a61753 /etc/ssl | |
parent | 0389f03498994dbdaf47543a325b58d14b1cdbab (diff) | |
download | pfsense-77a888140bd834514e199757f38656cc0ab0ee94.zip pfsense-77a888140bd834514e199757f38656cc0ab0ee94.tar.gz |
When creating an internal certificate, offer the user a choice of what constraints to place upon the certificate (CA, Server, or User).
Diffstat (limited to 'etc/ssl')
-rw-r--r-- | etc/ssl/openssl.cnf | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/etc/ssl/openssl.cnf b/etc/ssl/openssl.cnf index a1dcfe8..4039035 100644 --- a/etc/ssl/openssl.cnf +++ b/etc/ssl/openssl.cnf @@ -189,7 +189,7 @@ basicConstraints=CA:FALSE # keyUsage = nonRepudiation, digitalSignature, keyEncipherment # This will be displayed in Netscape's comment listbox. -nsComment = "OpenSSL Generated Certificate" +nsComment = "OpenSSL Generated User Certificate" # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash @@ -212,6 +212,17 @@ authorityKeyIdentifier=keyid,issuer:always #nsCaPolicyUrl #nsSslServerName +[ server ] + +# Make a cert with nsCertType=server +basicConstraints=CA:FALSE +nsCertType = server +nsComment = "OpenSSL Generated Server Certificate" +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always +extendedKeyUsage=serverAuth +keyUsage = digitalSignature, keyEncipherment + [ v3_req ] # Extensions to add to a certificate request |