diff options
author | Reyk Floeter <reyk@cvs.openbsd.org> | 2010-10-08 16:15:23 +0000 |
---|---|---|
committer | Reyk Floeter <reyk@cvs.openbsd.org> | 2010-10-08 16:15:23 +0000 |
commit | fe2a2af3ce6b90f1ba0fc4184b20b66baa48af6a (patch) | |
tree | c045b8e2fc06fecd3344d2d758b76674ba577245 | |
parent | 6d9451d08129220313fbcd503a14a8bb02644a59 (diff) |
set the client/server certificate options with all the common keyusage
and extendedkeyusage and nscerttype flags. the ikectl CA can now be used
with all kinds of other vpn tools in addition to iked and isakmpd.
ok phessler@
-rw-r--r-- | usr.sbin/ikectl/ikeca.c | 8 | ||||
-rw-r--r-- | usr.sbin/ikectl/ikeca.cnf | 7 |
2 files changed, 11 insertions, 4 deletions
diff --git a/usr.sbin/ikectl/ikeca.c b/usr.sbin/ikectl/ikeca.c index 06547afd214..9f95b892aaa 100644 --- a/usr.sbin/ikectl/ikeca.c +++ b/usr.sbin/ikectl/ikeca.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ikeca.c,v 1.18 2010/10/08 15:45:34 jsg Exp $ */ +/* $OpenBSD: ikeca.c,v 1.19 2010/10/08 16:15:22 reyk Exp $ */ /* $vantronix: ikeca.c,v 1.13 2010/06/03 15:52:52 reyk Exp $ */ /* @@ -219,10 +219,12 @@ ca_certificate(struct ca *ca, char *keyname, int type, int action) switch (action) { case CA_SERVER: - envargs = " EXTCERTUSAGE=serverAuth"; + envargs = " EXTCERTUSAGE=serverAuth NSCERTTYPE=server" + " CERTUSAGE=digitalSignature,keyEncipherment"; break; case CA_CLIENT: - envargs = " EXTCERTUSAGE=clientAuth"; + envargs = " EXTCERTUSAGE=clientAuth NSCERTTYPE=client" + " CERTUSAGE=digitalSignature,keyAgreement"; break; default: break; diff --git a/usr.sbin/ikectl/ikeca.cnf b/usr.sbin/ikectl/ikeca.cnf index 321efb36f72..8a6ba77e2a0 100644 --- a/usr.sbin/ikectl/ikeca.cnf +++ b/usr.sbin/ikectl/ikeca.cnf @@ -1,4 +1,4 @@ -# $OpenBSD: ikeca.cnf,v 1.3 2010/10/07 09:36:33 phessler Exp $ +# $OpenBSD: ikeca.cnf,v 1.4 2010/10/08 16:15:22 reyk Exp $ # $vantronix: ikeca.cnf,v 1.3 2010/05/31 12:26:26 reyk Exp $ RANDFILE = /dev/arandom @@ -18,6 +18,7 @@ EXTCERTUSAGE = serverAuth,clientAuth CERTIP = 0.0.0.0 CERTFQDN = nohost.nodomain CADB = index.txt +NSCERTTYPE = server,client [ req ] default_bits = 2048 @@ -74,10 +75,14 @@ basicConstraints=critical,CA:true,pathlen:$ENV::CERTPATHLEN keyUsage=$ENV::CERTUSAGE [x509v3_IPAddr] +keyUsage=$ENV::CERTUSAGE +nsCertType=$ENV::NSCERTTYPE subjectAltName=IP:$ENV::CERTIP extendedKeyUsage=$ENV::EXTCERTUSAGE [x509v3_FQDN] +keyUsage=$ENV::CERTUSAGE +nsCertType=$ENV::NSCERTTYPE subjectAltName=DNS:$ENV::CERTFQDN extendedKeyUsage=$ENV::EXTCERTUSAGE |