[openssl-dev] 1.0.2d — obsolete directives in openssl.cnf?

[Ikonta]

Hi, everybody.

Yesterday I've re-read some openssl (1.0.2d version installed) docs (man x509v3_config) and find the following note:

>   Netscape Certificate Type
>       This is a multi-valued extensions which consists of a list of flags to be included. It was used to indicate the purposes
>       for which a certificate could be used. The basicConstraints, keyUsage and extended key usage extensions are now used
>       instead.
>
>       Acceptable values for nsCertType are: client, server, email, objsign, reserved, sslCA, emailCA, objCA.


But default config still contains obsolete directives, with no reference to valid ones:
/etc/ssl/openssl.cnf
…
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.

# This is OK for an SSL server.
# nsCertType                    = server

# For an object signing certificate this would be used.
# nsCertType = objsign

# For normal client use this is typical
# nsCertType = client, email

# and for everything including object signing:
# nsCertType = client, email, objsign

# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment

# This will be displayed in Netscape's comment listbox.
nsComment                       = "OpenSSL Generated Certificate"

Maybe it's a time to update the config?