diff options
author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2022-08-25 17:45:40 +0200 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2022-11-18 15:10:02 +0100 |
commit | a275afc527d05b5187b457bdbcd0e1dcb18839f1 (patch) | |
tree | 27e1cf72bbde92dfa41ea8f98e0b281a02d86d5b /test/smime-certs | |
parent | 8a2f9a7cc8ab588d23fb96afd696f9da2c61c2c7 (diff) | |
download | openssl-new-a275afc527d05b5187b457bdbcd0e1dcb18839f1.tar.gz |
test/smime-certs/ca.cnf: clean up comments, simplify settings using SKID and AKID defaults
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19064)
Diffstat (limited to 'test/smime-certs')
-rw-r--r-- | test/smime-certs/ca.cnf | 51 |
1 files changed, 22 insertions, 29 deletions
diff --git a/test/smime-certs/ca.cnf b/test/smime-certs/ca.cnf index 7d453e8957..9e6f8a917e 100644 --- a/test/smime-certs/ca.cnf +++ b/test/smime-certs/ca.cnf @@ -18,8 +18,8 @@ default_keyfile = privkey.pem # Don't prompt for fields: use those in section directly prompt = no distinguished_name = req_distinguished_name -x509_extensions = v3_ca # The extensions to add to the self signed cert -string_mask = utf8only +x509_extensions = v3_ca # The extensions to add to the self signed cert +string_mask = utf8only # req_extensions = v3_req # The extensions to add to a certificate request @@ -32,46 +32,39 @@ commonName = $ENV::CN [ usr_cert ] -# These extensions are added when 'ca' signs a request for an end entity -# certificate +# These extensions are added when 'ca' signs a request for a normal end-entity +# certificate with key usage restrictions compatible with RSA keys -basicConstraints=critical, CA:FALSE -keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment +basicConstraints = CA:FALSE +keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment -# PKIX recommendations harmless if included in all certificates. -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid +# Following SKID and AKID settings are meanwhile by default in all certificates. +# See doc/man5/x509v3_config.pod for details. -[ dh_cert ] +# subjectKeyIdentifier = hash +# authorityKeyIdentifier = keyid, issuer -# These extensions are added when 'ca' signs a request for an end entity -# DH certificate +[ dh_cert ] -basicConstraints=critical, CA:FALSE -keyUsage=critical, keyAgreement +# These extensions are added when 'ca' signs a request for an end-entity +# DH certificate, for which only key agreement makes sense -# PKIX recommendations harmless if included in all certificates. -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid +basicConstraints = CA:FALSE +keyUsage = critical, keyAgreement [ codesign_cert ] # These extensions are added when 'ca' signs a request for a code-signing -# end-entity certificate +# end-entity certificate compatible with RSA and ECC keys -basicConstraints=CA:FALSE -keyUsage=critical, digitalSignature -extendedKeyUsage=codeSigning +basicConstraints = CA:FALSE +keyUsage = critical, digitalSignature +extendedKeyUsage = codeSigning [ v3_ca ] +# Extensions for a typical CA as required by RFC 5280 etc. +# SKID and AKID are by default set according to PKIX recommendation. -# Extensions for a typical CA - -# PKIX recommendation. - -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid:always -basicConstraints = critical,CA:true +basicConstraints = critical, CA:true keyUsage = critical, cRLSign, keyCertSign - |