keyUsage = nonRepudiation, digitalSignature, keyEncipherment
nsComment = "OpenSSL Generated Certificate"
+
+# PKIX recommendations
subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true