summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorReyk Floeter <reyk@cvs.openbsd.org>2010-10-08 16:15:23 +0000
committerReyk Floeter <reyk@cvs.openbsd.org>2010-10-08 16:15:23 +0000
commitfe2a2af3ce6b90f1ba0fc4184b20b66baa48af6a (patch)
treec045b8e2fc06fecd3344d2d758b76674ba577245
parent6d9451d08129220313fbcd503a14a8bb02644a59 (diff)
set the client/server certificate options with all the common keyusage
and extendedkeyusage and nscerttype flags. the ikectl CA can now be used with all kinds of other vpn tools in addition to iked and isakmpd. ok phessler@
-rw-r--r--usr.sbin/ikectl/ikeca.c8
-rw-r--r--usr.sbin/ikectl/ikeca.cnf7
2 files changed, 11 insertions, 4 deletions
diff --git a/usr.sbin/ikectl/ikeca.c b/usr.sbin/ikectl/ikeca.c
index 06547afd214..9f95b892aaa 100644
--- a/usr.sbin/ikectl/ikeca.c
+++ b/usr.sbin/ikectl/ikeca.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ikeca.c,v 1.18 2010/10/08 15:45:34 jsg Exp $ */
+/* $OpenBSD: ikeca.c,v 1.19 2010/10/08 16:15:22 reyk Exp $ */
/* $vantronix: ikeca.c,v 1.13 2010/06/03 15:52:52 reyk Exp $ */
/*
@@ -219,10 +219,12 @@ ca_certificate(struct ca *ca, char *keyname, int type, int action)
switch (action) {
case CA_SERVER:
- envargs = " EXTCERTUSAGE=serverAuth";
+ envargs = " EXTCERTUSAGE=serverAuth NSCERTTYPE=server"
+ " CERTUSAGE=digitalSignature,keyEncipherment";
break;
case CA_CLIENT:
- envargs = " EXTCERTUSAGE=clientAuth";
+ envargs = " EXTCERTUSAGE=clientAuth NSCERTTYPE=client"
+ " CERTUSAGE=digitalSignature,keyAgreement";
break;
default:
break;
diff --git a/usr.sbin/ikectl/ikeca.cnf b/usr.sbin/ikectl/ikeca.cnf
index 321efb36f72..8a6ba77e2a0 100644
--- a/usr.sbin/ikectl/ikeca.cnf
+++ b/usr.sbin/ikectl/ikeca.cnf
@@ -1,4 +1,4 @@
-# $OpenBSD: ikeca.cnf,v 1.3 2010/10/07 09:36:33 phessler Exp $
+# $OpenBSD: ikeca.cnf,v 1.4 2010/10/08 16:15:22 reyk Exp $
# $vantronix: ikeca.cnf,v 1.3 2010/05/31 12:26:26 reyk Exp $
RANDFILE = /dev/arandom
@@ -18,6 +18,7 @@ EXTCERTUSAGE = serverAuth,clientAuth
CERTIP = 0.0.0.0
CERTFQDN = nohost.nodomain
CADB = index.txt
+NSCERTTYPE = server,client
[ req ]
default_bits = 2048
@@ -74,10 +75,14 @@ basicConstraints=critical,CA:true,pathlen:$ENV::CERTPATHLEN
keyUsage=$ENV::CERTUSAGE
[x509v3_IPAddr]
+keyUsage=$ENV::CERTUSAGE
+nsCertType=$ENV::NSCERTTYPE
subjectAltName=IP:$ENV::CERTIP
extendedKeyUsage=$ENV::EXTCERTUSAGE
[x509v3_FQDN]
+keyUsage=$ENV::CERTUSAGE
+nsCertType=$ENV::NSCERTTYPE
subjectAltName=DNS:$ENV::CERTFQDN
extendedKeyUsage=$ENV::EXTCERTUSAGE