keygen: add CA extensions to self-signed certificates

master
speidy 8 years ago
parent 38253f1371
commit 2c48dd04e1

@ -1,4 +1,41 @@
[req] [req]
distinguished_name = req_distinguished_name distinguished_name = req_distinguished_name
x509_extensions = v3_ca # The extentions to add to the self signed cert
[req_distinguished_name] [req_distinguished_name]
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF

Loading…
Cancel
Save