diff options
| -rw-r--r-- | openssl-ca-acf.cnf | 22 |
1 files changed, 14 insertions, 8 deletions
diff --git a/openssl-ca-acf.cnf b/openssl-ca-acf.cnf index 73db0c6..7530240 100644 --- a/openssl-ca-acf.cnf +++ b/openssl-ca-acf.cnf @@ -69,14 +69,13 @@ countryName = optional commonName = supplied emailAddress = optional localityName = optional -subjectAltName = optional - +subjectAltName = optional [ policy_acf_cert ] organizationalUnitName = optional commonName = supplied emailAddress = optional -subjectAltName = optional +subjectAltName = optional #################################################################### @@ -147,34 +146,42 @@ authorityKeyIdentifier = keyid,issuer:always [ general_cert ] # Non-specific +policy = policy_acf_cert +x509_extensions = general +[ general ] basicConstraints = CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always -policy = policy_acf_cert - [ ssl_server_cert ] # SSL server +policy = policy_acf_cert +x509_extensions = ssl_server +[ ssl_server ] basicConstraints = CA:FALSE nsCertType = server keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = serverAuth subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always -policy = policy_acf_cert [ ssl_client_cert ] # SSL client +policy = policy_acf_cert +x509_extensions = ssl_client +[ ssl_client ] basicConstraints = CA:FALSE nsCertType = client keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = clientAuth subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always -policy = policy_acf_cert [ ssl_ca_cert ] # SSL Certifying Authority +policy = policy_acf_ca +x509_extensions = ssl_ca +[ ssl_ca ] basicConstraints = critical, CA:true nsCertType = sslCA # Below is correct, but may prevent self-signed certs from working @@ -182,7 +189,6 @@ keyUsage = cRLSign, keyCertSign extendedKeyUsage = subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always -policy = policy_acf_ca [ crl_ext ] authorityKeyIdentifier = keyid,issuer:always |