From 3ff1e540bf170acabd9d5580b4d10acab543acda Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Fri, 12 Sep 2014 20:59:39 +0200
Subject: Key usage 'keyCertSign' is required for self-signed certificates.

---
 roles/common/files/usr/local/bin/genkeypair.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'roles/common/files')

diff --git a/roles/common/files/usr/local/bin/genkeypair.sh b/roles/common/files/usr/local/bin/genkeypair.sh
index dda0f28..d6539e2 100755
--- a/roles/common/files/usr/local/bin/genkeypair.sh
+++ b/roles/common/files/usr/local/bin/genkeypair.sh
@@ -60,7 +60,7 @@ usage() {
 		    --config:   configuration file
 		    --pubkey:   public key file (default: pubkey.pem)
 		    --privkey:  private key file (default: privkey.pem; created with og-rwx)
-		    --usage:    key usage (default: digitalSignature,keyEncipherment)
+		    --usage:    key usage (default: digitalSignature,keyEncipherment,keyCertSign)
 		    --chmod:    chmod the private key
 		    --chown:    chown the private key
 
@@ -171,7 +171,7 @@ if [ -z "$config" -a \( "$cmd" = x509 -o "$cmd" = csr \) ]; then
 		subjectAltName   = email:admin@fripost.org${dns:+, $dns}
 		basicConstraints = critical, CA:FALSE
 		# https://security.stackexchange.com/questions/24106/which-key-usages-are-required-by-each-key-exchange-method
-		keyUsage         = critical, ${usage:-digitalSignature, keyEncipherment}
+		keyUsage         = critical, ${usage:-digitalSignature, keyEncipherment, keyCertSign}
 	EOF
 fi
 
-- 
cgit v1.2.3