diff options
| author | Idan Freiberg <speidy@gmail.com> | 2016-12-29 07:11:03 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2016-12-29 07:11:03 +0200 |
| commit | d257108b92c5eae454c5eb0ede6a4bf6112d5ff4 (patch) | |
| tree | 49d9328acb3c34710a6725e1cfd53c1e305e5cad | |
| parent | a96c91b38e68e189e6861dfdf3df5852881ad470 (diff) | |
| parent | 337b2d4be3c84df17712acddf41cfdce658a267c (diff) | |
| download | xrdp-proprietary-d257108b92c5eae454c5eb0ede6a4bf6112d5ff4.tar.gz xrdp-proprietary-d257108b92c5eae454c5eb0ede6a4bf6112d5ff4.zip | |
Merge pull request #588 from speidy/openssl_ca
keygen: add CA extensions to self-signed certificates
| -rw-r--r-- | keygen/openssl.conf | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/keygen/openssl.conf b/keygen/openssl.conf index 79b1dfb4..09db6c25 100644 --- a/keygen/openssl.conf +++ b/keygen/openssl.conf @@ -1,4 +1,36 @@ [req] distinguished_name = req_distinguished_name +# The extensions to add to the self signed cert +x509_extensions = v3_ca [req_distinguished_name] + +[v3_ca] +# Extensions for a typical CA - PKIX recommendation. +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always, issuer + +# This is what PKIX recommends but some broken software chokes on critical +# extensions. +#basicConstraints = critical, CA:true +# So we do this instead. +basicConstraints = CA:true + +# Key usage: this is typical for a CA certificate. However since it will +# prevent it being used as an test self-signed certificate it is best +# left out by default. +#keyUsage = cRLSign, keyCertSign + +# Some might want this also +#nsCertType = sslCA, emailCA + +# Include email address in subject alt name: another PKIX recommendation +#subjectAltName = email:copy +# Copy issuer details +#issuerAltName = issuer:copy + +# DER hex encoding of an extension: experts only! +#obj = DER:02:03 +# Where 'obj' is a standard or added object +# You can even override a supported extension: +#basicConstraints = critical, DER:30:03:01:01:FF |