diff options
author | jim-p <jimp@pfsense.org> | 2011-11-09 15:43:49 -0500 |
---|---|---|
committer | jim-p <jimp@pfsense.org> | 2011-11-09 15:43:49 -0500 |
commit | 7aaabd69b0dabc83fc535525bfd6200c3dd67245 (patch) | |
tree | ec9241a8bdfb6ba699209a7aa2734354d837cc13 /etc/ssl | |
parent | 74a556a3caa67adb0adac055ffb9321e264e1b71 (diff) | |
download | pfsense-7aaabd69b0dabc83fc535525bfd6200c3dd67245.zip pfsense-7aaabd69b0dabc83fc535525bfd6200c3dd67245.tar.gz |
When creating an internal certificate, offer the user a choice of what constraints to place upon the certificate (CA, Server, or User).
Diffstat (limited to 'etc/ssl')
-rw-r--r-- | etc/ssl/openssl.cnf | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/etc/ssl/openssl.cnf b/etc/ssl/openssl.cnf index a1dcfe8..4039035 100644 --- a/etc/ssl/openssl.cnf +++ b/etc/ssl/openssl.cnf @@ -189,7 +189,7 @@ basicConstraints=CA:FALSE # keyUsage = nonRepudiation, digitalSignature, keyEncipherment # This will be displayed in Netscape's comment listbox. -nsComment = "OpenSSL Generated Certificate" +nsComment = "OpenSSL Generated User Certificate" # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash @@ -212,6 +212,17 @@ authorityKeyIdentifier=keyid,issuer:always #nsCaPolicyUrl #nsSslServerName +[ server ] + +# Make a cert with nsCertType=server +basicConstraints=CA:FALSE +nsCertType = server +nsComment = "OpenSSL Generated Server Certificate" +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always +extendedKeyUsage=serverAuth +keyUsage = digitalSignature, keyEncipherment + [ v3_req ] # Extensions to add to a certificate request |