[openssl-dev] 1.0.2d — obsolete directives in openssl.cnf?
Ikonta
ikonta at yandex.ru
Wed Sep 2 08:24:04 UTC 2015
Hi, everybody.
Yesterday I've re-read some openssl (1.0.2d version installed) docs (man x509v3_config) and find the following note:
> Netscape Certificate Type
> This is a multi-valued extensions which consists of a list of flags to be included. It was used to indicate the purposes
> for which a certificate could be used. The basicConstraints, keyUsage and extended key usage extensions are now used
> instead.
>
> Acceptable values for nsCertType are: client, server, email, objsign, reserved, sslCA, emailCA, objCA.
But default config still contains obsolete directives, with no reference to valid ones:
/etc/ssl/openssl.cnf
…
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
Maybe it's a time to update the config?
More information about the openssl-dev
mailing list