Hi, everybody. Yesterday I've re-read some openssl (1.0.2d version installed) docs (man x509v3_config) and find the following note:
> Netscape Certificate Type > This is a multi-valued extensions which consists of a list of flags to > be included. It was used to indicate the purposes > for which a certificate could be used. The basicConstraints, keyUsage > and extended key usage extensions are now used > instead. > > Acceptable values for nsCertType are: client, server, email, objsign, > reserved, sslCA, emailCA, objCA. But default config still contains obsolete directives, with no reference to valid ones: /etc/ssl/openssl.cnf … # Here are some examples of the usage of nsCertType. If it is omitted # the certificate can be used for anything *except* object signing. # This is OK for an SSL server. # nsCertType = server # For an object signing certificate this would be used. # nsCertType = objsign # For normal client use this is typical # nsCertType = client, email # and for everything including object signing: # nsCertType = client, email, objsign # This is typical in keyUsage for a client certificate. # keyUsage = nonRepudiation, digitalSignature, keyEncipherment # This will be displayed in Netscape's comment listbox. nsComment = "OpenSSL Generated Certificate" Maybe it's a time to update the config? _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
