diff options
| author | jim-p <jimp@pfsense.org> | 2017-07-05 16:41:38 -0400 |
|---|---|---|
| committer | jim-p <jimp@pfsense.org> | 2017-07-05 16:41:38 -0400 |
| commit | 282b6c666a2f95a51a4b46d89fa80357d2ebccb2 (patch) | |
| tree | 3045fafdcd987a384c9148db80144684304e8c87 /src/usr/local/share/pfSense | |
| parent | 5c985ed29b1d286d65a0acc3cc96d524021a7d20 (diff) | |
| download | pfsense-282b6c666a2f95a51a4b46d89fa80357d2ebccb2.zip pfsense-282b6c666a2f95a51a4b46d89fa80357d2ebccb2.tar.gz | |
Add the ability to set certificate type and SAN attributes in a CSR. Ticket #7527
TODO: They are not carried over after signing in the GUI
Diffstat (limited to 'src/usr/local/share/pfSense')
| -rw-r--r-- | src/usr/local/share/pfSense/ssl/openssl.cnf | 101 |
1 files changed, 48 insertions, 53 deletions
diff --git a/src/usr/local/share/pfSense/ssl/openssl.cnf b/src/usr/local/share/pfSense/ssl/openssl.cnf index 8fd311a..a353e2f 100644 --- a/src/usr/local/share/pfSense/ssl/openssl.cnf +++ b/src/usr/local/share/pfSense/ssl/openssl.cnf @@ -168,68 +168,22 @@ unstructuredName = An optional company name [ usr_cert ] -# These extensions are added when 'ca' signs a request. - -# This goes against PKIX guidelines but some CAs do it and some software -# requires this to avoid interpreting an end user certificate as a CA. - -basicConstraints=CA:FALSE - -# Here are some examples of the usage of nsCertType. If it is omitted -# the certificate can be used for anything *except* object signing. - -# This is OK for an SSL server. -# nsCertType = server - -# For an object signing certificate this would be used. -# nsCertType = objsign - -# For normal client use this is typical -# nsCertType = client, email - -# and for everything including object signing: -# nsCertType = client, email, objsign - -# This is typical in keyUsage for a client certificate. -keyUsage = nonRepudiation, digitalSignature, keyEncipherment - -# This will be displayed in Netscape's comment listbox. +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment nsComment = "OpenSSL Generated User Certificate" - -# PKIX recommendations harmless if included in all certificates. -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer:always -extendedKeyUsage=clientAuth - -# This stuff is for subjectAltName and issuerAltname. -# Import the email address. -# subjectAltName=email:copy -# An alternative to produce certificates that aren't -# deprecated according to PKIX. -# subjectAltName=email:move - -# Copy subject details -# issuerAltName=issuer:copy - -#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem -#nsBaseUrl -#nsRevocationUrl -#nsRenewalUrl -#nsCaPolicyUrl -#nsSslServerName - -# This is required for TSA certificates. -# extendedKeyUsage = critical,timeStamping +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always +extendedKeyUsage = clientAuth [ usr_cert_san ] # copy of [ usr_cert ] plus nonempty Subject Alternative Names basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment nsComment = "OpenSSL Generated User Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always extendedKeyUsage = clientAuth -keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = $ENV::SAN [ server ] @@ -237,22 +191,62 @@ subjectAltName = $ENV::SAN # Make a cert with nsCertType=server basicConstraints = CA:FALSE nsCertType = server +keyUsage = digitalSignature, keyEncipherment nsComment = "OpenSSL Generated Server Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always extendedKeyUsage = serverAuth,1.3.6.1.5.5.8.2.2 -keyUsage = digitalSignature, keyEncipherment [ server_san ] # copy of [ server ] plus nonempty Subject Alternative Names basicConstraints = CA:FALSE nsCertType = server +keyUsage = digitalSignature, keyEncipherment nsComment = "OpenSSL Generated Server Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always extendedKeyUsage = serverAuth,1.3.6.1.5.5.8.2.2 +subjectAltName = $ENV::SAN + +[ req_usr_cert ] + +# Copy of [ usr_cert ] for CSR +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +nsComment = "OpenSSL Generated User Certificate" +subjectKeyIdentifier = hash +extendedKeyUsage = clientAuth + +[ req_usr_cert_san ] + +# Copy of [ usr_cert_san ] for CSR +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +nsComment = "OpenSSL Generated User Certificate" +subjectKeyIdentifier = hash +extendedKeyUsage = clientAuth +subjectAltName = $ENV::SAN + +[ req_server ] + +# Copy of [ server ] for CSR +basicConstraints = CA:FALSE +nsCertType = server +keyUsage = digitalSignature, keyEncipherment +nsComment = "OpenSSL Generated Server Certificate" +subjectKeyIdentifier = hash +extendedKeyUsage = serverAuth,1.3.6.1.5.5.8.2.2 + +[ req_server_san ] + +# Copy of [ server_san ] for CSR +basicConstraints = CA:FALSE +nsCertType = server keyUsage = digitalSignature, keyEncipherment +nsComment = "OpenSSL Generated Server Certificate" +subjectKeyIdentifier = hash +extendedKeyUsage = serverAuth,1.3.6.1.5.5.8.2.2 subjectAltName = $ENV::SAN [ v3_req ] @@ -262,6 +256,7 @@ subjectAltName = $ENV::SAN basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment + [ v3_ca ] # Extensions for a typical CA |
