1 files changed, 11 insertions, 19 deletions

diff --git a/openssl-ca-acf.cnf b/openssl-ca-acf.cnf
index 2e3adfb..47eec0e 100644
--- a/openssl-ca-acf.cnf
+++ b/openssl-ca-acf.cnf
@@ -89,12 +89,7 @@ countryName             = optional
 commonName              = supplied
 emailAddress            = optional
 localityName            = optional
-subjectAltName.1	= optional
-subjectAltName.2	= optional
-subjectAltName.3	= optional
-subjectAltName.4	= optional
-
-
+subjectAltName		= optional
 
 ####################################################################
 [ req ]
@@ -102,7 +97,7 @@ default_bits		= 2048
 default_keyfile 	= privkey.pem
 distinguished_name	= req_distinguished_name
 attributes		= req_attributes
-x509_extensions		= ssl_client_cert
+x509_extensions		= v3_ca_cert
 string_mask		= nombstr
 
 [ req_distinguished_name ]
@@ -136,6 +131,13 @@ challengePassword		= A challenge password
 challengePassword_min		= 4
 challengePassword_max		= 20
 
+[ v3_ca_cert ]
+basicConstraints		= critical, CA:true
+nsCertType			= sslCA
+# Below is correct, but may prevent self-signed certs from working
+keyUsage			= cRLSign, keyCertSign 
+subjectKeyIdentifier		= hash
+authorityKeyIdentifier		= keyid,issuer:always
 
 [ general_cert ]
 # Non-specific 
@@ -165,26 +167,16 @@ subjectKeyIdentifier		= hash
 authorityKeyIdentifier		= keyid,issuer:always
 policy				= policy_acf_ca
 
-[ v3_ca_cert ]
+[ ssl_ca_cert ]
 # SSL Certifying Authority
 basicConstraints		= critical, CA:true
 nsCertType			= sslCA
 # Below is correct, but may prevent self-signed certs from working
 keyUsage			= cRLSign, keyCertSign 
-#extendedKeyUsage		= serverAuth, clientAuth
-extenedKeyUsage			= 
+extendedKeyUsage		= 
 subjectKeyIdentifier		= hash
 authorityKeyIdentifier		= keyid,issuer:always
 policy				= policy_acf_ca
 
 [ crl_ext ]
-basicConstraints		= CA:FALSE
-keyUsage			= digitalSignature, keyEncipherment
-subjectKeyIdentifier		= hash
 authorityKeyIdentifier		= keyid,issuer:always
-
-[ v3_req ]
-# Extensions to add to a certificate request
-basicConstraints = CA:FALSE
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-