When creating an internal certificate, offer the user a choice of what constraints to place upon the certificate (CA, Server, or User).

author: jim-p <jimp@pfsense.org> 2011-11-09 15:43:49 -0500
committer: jim-p <jimp@pfsense.org> 2011-11-09 15:43:49 -0500
commit: 7aaabd69b0dabc83fc535525bfd6200c3dd67245 (patch)
tree: ec9241a8bdfb6ba699209a7aa2734354d837cc13 /etc/ssl
parent: 74a556a3caa67adb0adac055ffb9321e264e1b71 (diff)
download: pfsense-7aaabd69b0dabc83fc535525bfd6200c3dd67245.zip
pfsense-7aaabd69b0dabc83fc535525bfd6200c3dd67245.tar.gz
1 files changed, 12 insertions, 1 deletions
diff --git a/etc/ssl/openssl.cnf b/etc/ssl/openssl.cnf
index a1dcfe8..4039035 100644
--- a/etc/ssl/openssl.cnf
+++ b/etc/ssl/openssl.cnf
@@ -189,7 +189,7 @@ basicConstraints=CA:FALSE
 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 
 # This will be displayed in Netscape's comment listbox.
-nsComment                       = "OpenSSL Generated Certificate"
+nsComment                       = "OpenSSL Generated User Certificate"
 
 # PKIX recommendations harmless if included in all certificates.
 subjectKeyIdentifier=hash
@@ -212,6 +212,17 @@ authorityKeyIdentifier=keyid,issuer:always
 #nsCaPolicyUrl
 #nsSslServerName
 
+[ server ]
+
+# Make a cert with nsCertType=server
+basicConstraints=CA:FALSE
+nsCertType			= server
+nsComment			= "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+extendedKeyUsage=serverAuth
+keyUsage = digitalSignature, keyEncipherment
+
 [ v3_req ]
 
 # Extensions to add to a certificate request
author	jim-p <jimp@pfsense.org>	2011-11-09 15:43:49 -0500
committer	jim-p <jimp@pfsense.org>	2011-11-09 15:43:49 -0500
commit	7aaabd69b0dabc83fc535525bfd6200c3dd67245 (patch)
tree	ec9241a8bdfb6ba699209a7aa2734354d837cc13 /etc/ssl
parent	74a556a3caa67adb0adac055ffb9321e264e1b71 (diff)
download	pfsense-7aaabd69b0dabc83fc535525bfd6200c3dd67245.zip pfsense-7aaabd69b0dabc83fc535525bfd6200c3dd67245.tar.gz