diff options
author | Reyk Floeter <reyk@cvs.openbsd.org> | 2010-06-26 18:42:03 +0000 |
---|---|---|
committer | Reyk Floeter <reyk@cvs.openbsd.org> | 2010-06-26 18:42:03 +0000 |
commit | 0f83144b07f58e6a194b77936b2b410e777ae5b9 (patch) | |
tree | 337d6f6c6a961eeb89c0ab98a1050d3cea367c83 /lib/libssl/x509v3.cnf | |
parent | e13ef0854515605af4b61d19069a0c9543a8b002 (diff) |
Add the extendedKeyUsage flags serverAuth and clientAuth. Newer Windows
version require these flags to accept the X.509 certificates from the
gateway or client; I just add both flags to make it work in both cases
and verified it with win7, for example when authenticating against iked.
go ahead beck@
Diffstat (limited to 'lib/libssl/x509v3.cnf')
-rw-r--r-- | lib/libssl/x509v3.cnf | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/lib/libssl/x509v3.cnf b/lib/libssl/x509v3.cnf index 5835534b965..8c6b775da18 100644 --- a/lib/libssl/x509v3.cnf +++ b/lib/libssl/x509v3.cnf @@ -1,6 +1,7 @@ # default settings CERTPATHLEN = 1 CERTUSAGE = digitalSignature,keyCertSign,cRLSign +EXTCERTUSAGE = serverAuth,clientAuth CERTIP = 0.0.0.0 CERTFQDN = nohost.nodomain @@ -18,9 +19,11 @@ keyUsage=$ENV::CERTUSAGE # The address must be provided in the CERTIP environment variable [x509v3_IPAddr] subjectAltName=IP:$ENV::CERTIP +extendedKeyUsage=$ENV::EXTCERTUSAGE # This section should be referenced to add a FQDN hostname # as an alternate subject name, needed by isakmpd # The address must be provided in the CERTFQDN environment variable [x509v3_FQDN] subjectAltName=DNS:$ENV::CERTFQDN +extendedKeyUsage=$ENV::EXTCERTUSAGE |