summaryrefslogtreecommitdiff
path: root/lib/libssl/doc/openssl.cnf
diff options
context:
space:
mode:
authorDamien Miller <djm@cvs.openbsd.org>2005-04-29 05:39:34 +0000
committerDamien Miller <djm@cvs.openbsd.org>2005-04-29 05:39:34 +0000
commit96d1d9b6e08bc96e9e2ca66809e78057a7ad7715 (patch)
tree3c21c706afbaf02026085e88634587633cdae96a /lib/libssl/doc/openssl.cnf
parentccd50423df222a7b368ec130192398b49e23114a (diff)
resolve conflicts
Diffstat (limited to 'lib/libssl/doc/openssl.cnf')
-rw-r--r--lib/libssl/doc/openssl.cnf57
1 files changed, 55 insertions, 2 deletions
diff --git a/lib/libssl/doc/openssl.cnf b/lib/libssl/doc/openssl.cnf
index 854d1f164eb..4c1d595b0a0 100644
--- a/lib/libssl/doc/openssl.cnf
+++ b/lib/libssl/doc/openssl.cnf
@@ -44,8 +44,8 @@ new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
-#crlnumber = $dir/crlnumber # the current crl number
- # must be commented out to leave a V1 CRL
+#crlnumber = $dir/crlnumber # the current crl number must be
+ # commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
@@ -258,3 +258,56 @@ basicConstraints = CA:true
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always
+
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType = server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo