summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorspeidy <speidy@gmail.com>2016-12-24 17:38:54 -0500
committerspeidy <speidy@gmail.com>2016-12-24 17:38:54 -0500
commit2c48dd04e137f6a82b3fbc1f34707ab86d8517a5 (patch)
tree105283766744c04de8c6d6816584b497a5b5b860
parent38253f1371b5e01e05ba995f28b6451ee57b613c (diff)
downloadxrdp-proprietary-2c48dd04e137f6a82b3fbc1f34707ab86d8517a5.tar.gz
xrdp-proprietary-2c48dd04e137f6a82b3fbc1f34707ab86d8517a5.zip
keygen: add CA extensions to self-signed certificates
-rw-r--r--keygen/openssl.conf37
1 files changed, 37 insertions, 0 deletions
diff --git a/keygen/openssl.conf b/keygen/openssl.conf
index 79b1dfb4..57037608 100644
--- a/keygen/openssl.conf
+++ b/keygen/openssl.conf
@@ -1,4 +1,41 @@
[req]
distinguished_name = req_distinguished_name
+x509_extensions = v3_ca # The extentions to add to the self signed cert
[req_distinguished_name]
+
+[ v3_ca ]
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF