summaryrefslogtreecommitdiff
path: root/lib/libssl/x509v3.cnf
diff options
context:
space:
mode:
authorReyk Floeter <reyk@cvs.openbsd.org>2010-06-26 18:42:03 +0000
committerReyk Floeter <reyk@cvs.openbsd.org>2010-06-26 18:42:03 +0000
commit0f83144b07f58e6a194b77936b2b410e777ae5b9 (patch)
tree337d6f6c6a961eeb89c0ab98a1050d3cea367c83 /lib/libssl/x509v3.cnf
parente13ef0854515605af4b61d19069a0c9543a8b002 (diff)
Add the extendedKeyUsage flags serverAuth and clientAuth. Newer Windows
version require these flags to accept the X.509 certificates from the gateway or client; I just add both flags to make it work in both cases and verified it with win7, for example when authenticating against iked. go ahead beck@
Diffstat (limited to 'lib/libssl/x509v3.cnf')
-rw-r--r--lib/libssl/x509v3.cnf3
1 files changed, 3 insertions, 0 deletions
diff --git a/lib/libssl/x509v3.cnf b/lib/libssl/x509v3.cnf
index 5835534b965..8c6b775da18 100644
--- a/lib/libssl/x509v3.cnf
+++ b/lib/libssl/x509v3.cnf
@@ -1,6 +1,7 @@
# default settings
CERTPATHLEN = 1
CERTUSAGE = digitalSignature,keyCertSign,cRLSign
+EXTCERTUSAGE = serverAuth,clientAuth
CERTIP = 0.0.0.0
CERTFQDN = nohost.nodomain
@@ -18,9 +19,11 @@ keyUsage=$ENV::CERTUSAGE
# The address must be provided in the CERTIP environment variable
[x509v3_IPAddr]
subjectAltName=IP:$ENV::CERTIP
+extendedKeyUsage=$ENV::EXTCERTUSAGE
# This section should be referenced to add a FQDN hostname
# as an alternate subject name, needed by isakmpd
# The address must be provided in the CERTFQDN environment variable
[x509v3_FQDN]
subjectAltName=DNS:$ENV::CERTFQDN
+extendedKeyUsage=$ENV::EXTCERTUSAGE