From 3ff1e540bf170acabd9d5580b4d10acab543acda Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Fri, 12 Sep 2014 20:59:39 +0200 Subject: Key usage 'keyCertSign' is required for self-signed certificates. --- roles/common/files/usr/local/bin/genkeypair.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'roles/common/files/usr/local/bin') diff --git a/roles/common/files/usr/local/bin/genkeypair.sh b/roles/common/files/usr/local/bin/genkeypair.sh index dda0f28..d6539e2 100755 --- a/roles/common/files/usr/local/bin/genkeypair.sh +++ b/roles/common/files/usr/local/bin/genkeypair.sh @@ -60,7 +60,7 @@ usage() { --config: configuration file --pubkey: public key file (default: pubkey.pem) --privkey: private key file (default: privkey.pem; created with og-rwx) - --usage: key usage (default: digitalSignature,keyEncipherment) + --usage: key usage (default: digitalSignature,keyEncipherment,keyCertSign) --chmod: chmod the private key --chown: chown the private key @@ -171,7 +171,7 @@ if [ -z "$config" -a \( "$cmd" = x509 -o "$cmd" = csr \) ]; then subjectAltName = email:admin@fripost.org${dns:+, $dns} basicConstraints = critical, CA:FALSE # https://security.stackexchange.com/questions/24106/which-key-usages-are-required-by-each-key-exchange-method - keyUsage = critical, ${usage:-digitalSignature, keyEncipherment} + keyUsage = critical, ${usage:-digitalSignature, keyEncipherment, keyCertSign} EOF fi -- cgit v1.2.3