projects
/
oweals
/
openssl.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Make sure that a cert with extensions gets version number 2 (v3)
[oweals/openssl.git]
/
apps
/
openssl-vms.cnf
diff --git
a/apps/openssl-vms.cnf
b/apps/openssl-vms.cnf
index 6685cf1df1d3d7639351484df919773f49d72583..94baac12fdb03405ac7ce522c677012eb96f01a1 100644
(file)
--- a/
apps/openssl-vms.cnf
+++ b/
apps/openssl-vms.cnf
@@
-72,7
+72,7
@@
cert_opt = ca_default # Certificate field options
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
-default_md =
sha1 # which md to use.
+default_md =
default # use public key default MD
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
@@
-103,7
+103,7
@@
emailAddress = optional
####################################################################
[ req ]
####################################################################
[ req ]
-default_bits =
1024
+default_bits =
2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
@@
-115,13
+115,12
@@
x509_extensions = v3_ca # The extentions to add to the self signed cert
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
-# pkix : PrintableString, BMPString
.
-# utf8only: only UTF8Strings.
+# pkix : PrintableString, BMPString
(PKIX recommendation before 2004)
+# utf8only: only UTF8Strings
(PKIX recommendation after 2004)
.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
-# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
-# so use this option with caution!
-string_mask = nombstr
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
# req_extensions = v3_req # The extensions to add to a certificate request
# req_extensions = v3_req # The extensions to add to a certificate request
@@
-146,7
+145,7
@@
localityName = Locality Name (eg, city)
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
-commonName = Common Name (e
g,
YOUR name)
+commonName = Common Name (e
.g. server FQDN or
YOUR name)
commonName_max = 64
emailAddress = Email Address
commonName_max = 64
emailAddress = Email Address
@@
-213,7
+212,7
@@
authorityKeyIdentifier=keyid,issuer
#nsSslServerName
# This is required for TSA certificates.
#nsSslServerName
# This is required for TSA certificates.
-extendedKeyUsage = critical,timeStamping
+
#
extendedKeyUsage = critical,timeStamping
[ v3_req ]
[ v3_req ]
@@
-232,7
+231,7
@@
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectKeyIdentifier=hash
subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always,issuer
:always
+authorityKeyIdentifier=keyid:always,issuer
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
@@
-265,7
+264,7
@@
basicConstraints = CA:true
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
-authorityKeyIdentifier=keyid:always
,issuer:always
+authorityKeyIdentifier=keyid:always
[ proxy_cert_ext ]
# These extensions should be added when creating a proxy certificate
[ proxy_cert_ext ]
# These extensions should be added when creating a proxy certificate
@@
-298,7
+297,7
@@
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer
:always
+authorityKeyIdentifier=keyid,issuer
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.