When creating an internal certificate, offer the user a choice of what constraints to place upon the certificate (CA, Server, or User).

author: jim-p <jimp@pfsense.org> 2011-11-09 15:43:49 -0500
committer: jim-p <jimp@pfsense.org> 2011-11-09 15:45:21 -0500
commit: 77a888140bd834514e199757f38656cc0ab0ee94 (patch)
tree: 239f8ab0ee15e62d63e2df0828fe11f1f2a61753 /etc/ssl
parent: 0389f03498994dbdaf47543a325b58d14b1cdbab (diff)
download: pfsense-77a888140bd834514e199757f38656cc0ab0ee94.zip
pfsense-77a888140bd834514e199757f38656cc0ab0ee94.tar.gz
1 files changed, 12 insertions, 1 deletions
diff --git a/etc/ssl/openssl.cnf b/etc/ssl/openssl.cnf
index a1dcfe8..4039035 100644
--- a/etc/ssl/openssl.cnf
+++ b/etc/ssl/openssl.cnf
@@ -189,7 +189,7 @@ basicConstraints=CA:FALSE
 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 
 # This will be displayed in Netscape's comment listbox.
-nsComment                       = "OpenSSL Generated Certificate"
+nsComment                       = "OpenSSL Generated User Certificate"
 
 # PKIX recommendations harmless if included in all certificates.
 subjectKeyIdentifier=hash
@@ -212,6 +212,17 @@ authorityKeyIdentifier=keyid,issuer:always
 #nsCaPolicyUrl
 #nsSslServerName
 
+[ server ]
+
+# Make a cert with nsCertType=server
+basicConstraints=CA:FALSE
+nsCertType			= server
+nsComment			= "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=serverAuth
+keyUsage = digitalSignature, keyEncipherment
+
 [ v3_req ]
 
 # Extensions to add to a certificate request
author	jim-p <jimp@pfsense.org>	2011-11-09 15:43:49 -0500
committer	jim-p <jimp@pfsense.org>	2011-11-09 15:45:21 -0500
commit	77a888140bd834514e199757f38656cc0ab0ee94 (patch)
tree	239f8ab0ee15e62d63e2df0828fe11f1f2a61753 /etc/ssl
parent	0389f03498994dbdaf47543a325b58d14b1cdbab (diff)
download	pfsense-77a888140bd834514e199757f38656cc0ab0ee94.zip pfsense-77a888140bd834514e199757f38656cc0ab0ee94.tar.gz