Add an x509v3.cnf in /etc/ssl so that creating certificate authorities

form isakmpd works. From Tim Newsham <newsham@lava.net>
ok provos@

2 files changed, 23 insertions, 2 deletions

diff --git a/lib/libssl/Makefile.bsd-wrapper b/lib/libssl/Makefile.bsd-wrapper
index 6061ab86716..5aee2465f3f 100644
--- a/lib/libssl/Makefile.bsd-wrapper
+++ b/lib/libssl/Makefile.bsd-wrapper
@@ -1,5 +1,5 @@
 # Build wrapper for OpenSSL
-# $OpenBSD: Makefile.bsd-wrapper,v 1.34 2001/03/09 23:06:57 deraadt Exp $
+# $OpenBSD: Makefile.bsd-wrapper,v 1.35 2001/04/17 19:55:19 beck Exp $
 
 # Our lndir is hacked; specify a full path to avoid potential conflicts
 # with the one installed with X11.
@@ -588,7 +588,9 @@ tags:
 
 distribution:
 	${INSTALL} ${INSTALL_COPY} -g ${BINGRP} -m 444 \
-	   ${.CURDIR}/openssl.cnf ${DESTDIR}/etc/ssl/openssl.cnf
+	   ${.CURDIR}/openssl.cnf ${DESTDIR}/etc/ssl/openssl.cnf && \
+	${INSTALL} ${INSTALL_COPY} -g ${BINGRP} -m 444 \
+	   ${.CURDIR}/x509v3.cnf ${DESTDIR}/etc/ssl/x509v3.cnf
 
 .include <bsd.obj.mk>
 .include <bsd.subdir.mk>
diff --git a/lib/libssl/x509v3.cnf b/lib/libssl/x509v3.cnf
new file mode 100644
index 00000000000..f1e3c741bcb
--- /dev/null
+++ b/lib/libssl/x509v3.cnf
@@ -0,0 +1,19 @@
+# default settings
+CERTPATHLEN		= 1
+CERTUSAGE		= digitalSignature,keyCertSign
+CERTIP			= 0.0.0.0
+
+# This section should be referenced when building an x509v3 CA
+# Certificate.
+# The default path length and the key usage can be overriden
+# modified by setting the CERTPATHLEN and CERTUSAGE environment 
+# variables.
+[x509v3_CA]
+basicConstraints=critical,CA:true,pathlen:$ENV::CERTPATHLEN
+keyUsage=$ENV::CERTUSAGE
+
+# This section should be referenced to add an IP Address
+# as an alternate subject name, needed by isakmpd
+# The address must be provided in the CERTIP environment variable
+[x509v3_IPAddr]
+subjectAltName=IP:$ENV::CERTIP