Robert Hannemann wrote:
>
> Hello,
Hi,
> Wich extensions should have a CA cert to be able for signing SSL Client Certs -
> and wich extensions ( in openssl.cnf ) the Client Cert must have ?
Well, you can have a look into the openssl/docs directory (openssl.txt)
where there is an extensions description. Anyway a CA is enabled to sign
any kind of certificate, just set the CA:TRUE in the basicConstains, you
can also use the sslCA in the nsCertType but it is not requested. For
clients you can use:
nsCertType=client, email
keyUsage=digitalSignature,keyEncipherment,dataEncipherment,
keyAgreement
(digital signature is not required, I guess, but suggested)
Hope this helps. Don't forget to post your questions to the mailing lists
(users) for the sake of all the subscribers... :-D
--
C'you,
Massimiliano Pala
--o-------------------------------------------------------------------------
Massimiliano Pala [OpenCA Project Manager] [EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
http://www.openca.org Tel.: +39 (0)59 270 094
http://openca.sourceforge.net Mobile: +39 (0)347 7222 365
S/MIME Cryptographic Signature
