diff options
author | Chris Buechler <cmb@pfsense.org> | 2015-07-20 20:20:49 -0500 |
---|---|---|
committer | Chris Buechler <cmb@pfsense.org> | 2015-07-20 20:21:33 -0500 |
commit | ed2265217acc84b6c83e307de01d25d0688cb603 (patch) | |
tree | c01cb5404eb735e399e7449ff34e1476bfbfde67 /etc | |
parent | c85fe8b1d6a0c2da2cc93624b015302b40db5cd0 (diff) | |
download | pfsense-ed2265217acc84b6c83e307de01d25d0688cb603.zip pfsense-ed2265217acc84b6c83e307de01d25d0688cb603.tar.gz |
Specify keyUsage and extendedKeyUsage in openssl.cnf, use crl_ext.
Diffstat (limited to 'etc')
-rw-r--r-- | etc/ssl/openssl.cnf | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/etc/ssl/openssl.cnf b/etc/ssl/openssl.cnf index b5672d4..75668f7 100644 --- a/etc/ssl/openssl.cnf +++ b/etc/ssl/openssl.cnf @@ -68,7 +68,7 @@ cert_opt = ca_default # Certificate field options # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs # so this is commented out by default to leave a V1 CRL. # crlnumber must also be commented out to leave a V1 CRL. -# crl_extensions = crl_ext +crl_extensions = crl_ext default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL @@ -190,7 +190,7 @@ basicConstraints=CA:FALSE # nsCertType = client, email, objsign # This is typical in keyUsage for a client certificate. -# keyUsage = nonRepudiation, digitalSignature, keyEncipherment +keyUsage = nonRepudiation, digitalSignature, keyEncipherment # This will be displayed in Netscape's comment listbox. nsComment = "OpenSSL Generated User Certificate" @@ -198,6 +198,7 @@ nsComment = "OpenSSL Generated User Certificate" # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always +extendedKeyUsage=clientAuth # This stuff is for subjectAltName and issuerAltname. # Import the email address. @@ -223,6 +224,7 @@ basicConstraints=CA:FALSE nsComment = "OpenSSL Generated User Certificate" subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always +extendedKeyUsage=clientAuth subjectAltName=$ENV::SAN [ server ] @@ -273,10 +275,8 @@ authorityKeyIdentifier=keyid:always,issuer:always # So we do this instead. basicConstraints = CA:true -# Key usage: this is typical for a CA certificate. However since it will -# prevent it being used as an test self-signed certificate it is best -# left out by default. -# keyUsage = cRLSign, keyCertSign +# Key usage: this is typical for a CA certificate. +keyUsage = cRLSign, keyCertSign # Some might want this also # nsCertType = sslCA, emailCA |