diff options
author | Damien Miller <djm@cvs.openbsd.org> | 2005-04-29 05:39:34 +0000 |
---|---|---|
committer | Damien Miller <djm@cvs.openbsd.org> | 2005-04-29 05:39:34 +0000 |
commit | 96d1d9b6e08bc96e9e2ca66809e78057a7ad7715 (patch) | |
tree | 3c21c706afbaf02026085e88634587633cdae96a /lib/libssl/doc/openssl.cnf | |
parent | ccd50423df222a7b368ec130192398b49e23114a (diff) |
resolve conflicts
Diffstat (limited to 'lib/libssl/doc/openssl.cnf')
-rw-r--r-- | lib/libssl/doc/openssl.cnf | 57 |
1 files changed, 55 insertions, 2 deletions
diff --git a/lib/libssl/doc/openssl.cnf b/lib/libssl/doc/openssl.cnf index 854d1f164eb..4c1d595b0a0 100644 --- a/lib/libssl/doc/openssl.cnf +++ b/lib/libssl/doc/openssl.cnf @@ -44,8 +44,8 @@ new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number -#crlnumber = $dir/crlnumber # the current crl number - # must be commented out to leave a V1 CRL +#crlnumber = $dir/crlnumber # the current crl number must be + # commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key RANDFILE = $dir/private/.rand # private random number file @@ -258,3 +258,56 @@ basicConstraints = CA:true # issuerAltName=issuer:copy authorityKeyIdentifier=keyid:always,issuer:always + +[ proxy_cert_ext ] +# These extensions should be added when creating a proxy certificate + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +# This really needs to be in place for it to be a proxy certificate. +proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo |