From 2c48dd04e137f6a82b3fbc1f34707ab86d8517a5 Mon Sep 17 00:00:00 2001 From: speidy Date: Sat, 24 Dec 2016 17:38:54 -0500 Subject: [PATCH 1/2] keygen: add CA extensions to self-signed certificates --- keygen/openssl.conf | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/keygen/openssl.conf b/keygen/openssl.conf index 79b1dfb4..57037608 100644 --- a/keygen/openssl.conf +++ b/keygen/openssl.conf @@ -1,4 +1,41 @@ [req] distinguished_name = req_distinguished_name +x509_extensions = v3_ca # The extentions to add to the self signed cert [req_distinguished_name] + +[ v3_ca ] + +# Extensions for a typical CA + + +# PKIX recommendation. + +subjectKeyIdentifier=hash + +authorityKeyIdentifier=keyid:always,issuer + +# This is what PKIX recommends but some broken software chokes on critical +# extensions. +#basicConstraints = critical,CA:true +# So we do this instead. +basicConstraints = CA:true + +# Key usage: this is typical for a CA certificate. However since it will +# prevent it being used as an test self-signed certificate it is best +# left out by default. +# keyUsage = cRLSign, keyCertSign + +# Some might want this also +# nsCertType = sslCA, emailCA + +# Include email address in subject alt name: another PKIX recommendation +# subjectAltName=email:copy +# Copy issuer details +# issuerAltName=issuer:copy + +# DER hex encoding of an extension: beware experts only! +# obj=DER:02:03 +# Where 'obj' is a standard or added object +# You can even override a supported extension: +# basicConstraints= critical, DER:30:03:01:01:FF From 337b2d4be3c84df17712acddf41cfdce658a267c Mon Sep 17 00:00:00 2001 From: speidy Date: Sun, 25 Dec 2016 04:34:52 -0500 Subject: [PATCH 2/2] keygen: openssl.conf cleanup --- keygen/openssl.conf | 33 ++++++++++++++------------------- 1 file changed, 14 insertions(+), 19 deletions(-) diff --git a/keygen/openssl.conf b/keygen/openssl.conf index 57037608..09db6c25 100644 --- a/keygen/openssl.conf +++ b/keygen/openssl.conf @@ -1,41 +1,36 @@ [req] distinguished_name = req_distinguished_name -x509_extensions = v3_ca # The extentions to add to the self signed cert +# The extensions to add to the self signed cert +x509_extensions = v3_ca [req_distinguished_name] -[ v3_ca ] - -# Extensions for a typical CA - - -# PKIX recommendation. - -subjectKeyIdentifier=hash - -authorityKeyIdentifier=keyid:always,issuer +[v3_ca] +# Extensions for a typical CA - PKIX recommendation. +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always, issuer # This is what PKIX recommends but some broken software chokes on critical # extensions. -#basicConstraints = critical,CA:true +#basicConstraints = critical, CA:true # So we do this instead. basicConstraints = CA:true # Key usage: this is typical for a CA certificate. However since it will # prevent it being used as an test self-signed certificate it is best # left out by default. -# keyUsage = cRLSign, keyCertSign +#keyUsage = cRLSign, keyCertSign # Some might want this also -# nsCertType = sslCA, emailCA +#nsCertType = sslCA, emailCA # Include email address in subject alt name: another PKIX recommendation -# subjectAltName=email:copy +#subjectAltName = email:copy # Copy issuer details -# issuerAltName=issuer:copy +#issuerAltName = issuer:copy -# DER hex encoding of an extension: beware experts only! -# obj=DER:02:03 +# DER hex encoding of an extension: experts only! +#obj = DER:02:03 # Where 'obj' is a standard or added object # You can even override a supported extension: -# basicConstraints= critical, DER:30:03:01:01:FF +#basicConstraints = critical, DER:30:03:01:01:FF