2 files changed, 11 insertions, 4 deletions

diff --git a/usr.sbin/ikectl/ikeca.c b/usr.sbin/ikectl/ikeca.c
index 06547afd214..9f95b892aaa 100644
--- a/usr.sbin/ikectl/ikeca.c
+++ b/usr.sbin/ikectl/ikeca.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ikeca.c,v 1.18 2010/10/08 15:45:34 jsg Exp $	*/
+/*	$OpenBSD: ikeca.c,v 1.19 2010/10/08 16:15:22 reyk Exp $	*/
 /*	$vantronix: ikeca.c,v 1.13 2010/06/03 15:52:52 reyk Exp $	*/
 
 /*
@@ -219,10 +219,12 @@ ca_certificate(struct ca *ca, char *keyname, int type, int action)
 
 	switch (action) {
 	case CA_SERVER:
-		envargs = " EXTCERTUSAGE=serverAuth";
+		envargs = " EXTCERTUSAGE=serverAuth NSCERTTYPE=server"
+		    " CERTUSAGE=digitalSignature,keyEncipherment";
 		break;
 	case CA_CLIENT:
-		envargs = " EXTCERTUSAGE=clientAuth";
+		envargs = " EXTCERTUSAGE=clientAuth NSCERTTYPE=client"
+		    " CERTUSAGE=digitalSignature,keyAgreement";
 		break;
 	default:
 		break;
diff --git a/usr.sbin/ikectl/ikeca.cnf b/usr.sbin/ikectl/ikeca.cnf
index 321efb36f72..8a6ba77e2a0 100644
--- a/usr.sbin/ikectl/ikeca.cnf
+++ b/usr.sbin/ikectl/ikeca.cnf
@@ -1,4 +1,4 @@
-# $OpenBSD: ikeca.cnf,v 1.3 2010/10/07 09:36:33 phessler Exp $
+# $OpenBSD: ikeca.cnf,v 1.4 2010/10/08 16:15:22 reyk Exp $
 # $vantronix: ikeca.cnf,v 1.3 2010/05/31 12:26:26 reyk Exp $
 
 RANDFILE		= /dev/arandom
@@ -18,6 +18,7 @@ EXTCERTUSAGE		= serverAuth,clientAuth
 CERTIP			= 0.0.0.0
 CERTFQDN		= nohost.nodomain
 CADB			= index.txt
+NSCERTTYPE		= server,client
 
 [ req ]
 default_bits		= 2048
@@ -74,10 +75,14 @@ basicConstraints=critical,CA:true,pathlen:$ENV::CERTPATHLEN
 keyUsage=$ENV::CERTUSAGE
 
 [x509v3_IPAddr]
+keyUsage=$ENV::CERTUSAGE
+nsCertType=$ENV::NSCERTTYPE
 subjectAltName=IP:$ENV::CERTIP
 extendedKeyUsage=$ENV::EXTCERTUSAGE
 
 [x509v3_FQDN]
+keyUsage=$ENV::CERTUSAGE
+nsCertType=$ENV::NSCERTTYPE
 subjectAltName=DNS:$ENV::CERTFQDN
 extendedKeyUsage=$ENV::EXTCERTUSAGE