summaryrefslogtreecommitdiffstats
path: root/roles
diff options
context:
space:
mode:
Diffstat (limited to 'roles')
-rw-r--r--roles/common-LDAP/tasks/main.yml2
-rwxr-xr-xroles/common/files/usr/local/bin/genkeypair.sh4
2 files changed, 3 insertions, 3 deletions
diff --git a/roles/common-LDAP/tasks/main.yml b/roles/common-LDAP/tasks/main.yml
index e86fa45..60ccc76 100644
--- a/roles/common-LDAP/tasks/main.yml
+++ b/roles/common-LDAP/tasks/main.yml
@@ -43,7 +43,7 @@
--pubkey=/etc/ldap/ssl/{{ item.name }}.pem
--privkey=/etc/ldap/ssl/{{ item.name }}.key
--ou=LDAP {{ item.ou }} --cn={{ item.name }}
- --usage=digitalSignature,keyEncipherment
+ --usage=digitalSignature,keyEncipherment,keyCertSign
-t rsa -b 4096 -h sha256
--chown="root:openldap" --chmod=0640
register: r2
diff --git a/roles/common/files/usr/local/bin/genkeypair.sh b/roles/common/files/usr/local/bin/genkeypair.sh
index dda0f28..d6539e2 100755
--- a/roles/common/files/usr/local/bin/genkeypair.sh
+++ b/roles/common/files/usr/local/bin/genkeypair.sh
@@ -60,7 +60,7 @@ usage() {
--config: configuration file
--pubkey: public key file (default: pubkey.pem)
--privkey: private key file (default: privkey.pem; created with og-rwx)
- --usage: key usage (default: digitalSignature,keyEncipherment)
+ --usage: key usage (default: digitalSignature,keyEncipherment,keyCertSign)
--chmod: chmod the private key
--chown: chown the private key
@@ -171,7 +171,7 @@ if [ -z "$config" -a \( "$cmd" = x509 -o "$cmd" = csr \) ]; then
subjectAltName = email:admin@fripost.org${dns:+, $dns}
basicConstraints = critical, CA:FALSE
# https://security.stackexchange.com/questions/24106/which-key-usages-are-required-by-each-key-exchange-method
- keyUsage = critical, ${usage:-digitalSignature, keyEncipherment}
+ keyUsage = critical, ${usage:-digitalSignature, keyEncipherment, keyCertSign}
EOF
fi