Oops! Remeber to include the other patches this time...

[oweals/openssl.git] / apps / openssl.cnf

diff --git a/apps/openssl.cnf b/apps/openssl.cnf
index e5e2eee56fdcff1a73e9595c594d0bb6d640eb9e..fbf0a1ba7f46f1d7377a850d41b582814f06d24f 100644 (file)
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
@@ -127,7 +127,11 @@ basicConstraints=CA:FALSE
 keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 
 nsComment                      = "OpenSSL Generated Certificate"
+
+# PKIX recommendations
 subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+
 
 #nsCaRevocationUrl             = http://www.domain.dom/ca-crl.pem
 #nsBaseUrl
@@ -147,6 +151,8 @@ basicConstraints = CA:true
 
 subjectKeyIdentifier=hash
 
+authorityKeyIdentifier=keyid:always,issuer:always
+
 # This is what PKIX recommends but some broken software chokes on critical
 # extensions.
 #basicConstraints = critical,CA:true