From 44064cf69236f85f372973a99f5f6ecbded21308 Mon Sep 17 00:00:00 2001 From: CarbonLifeForm Date: Thu, 15 Dec 2011 15:51:15 -0500 Subject: [PATCH] modifications for psych0tik use changed default-days, bits, key usages, basicConstraints, etc. --- openssl.cnf | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/openssl.cnf b/openssl.cnf index c3c2e93..7b15c65 100644 --- a/openssl.cnf +++ b/openssl.cnf @@ -70,7 +70,7 @@ cert_opt = ca_default # Certificate field options # crlnumber must also be commented out to leave a V1 CRL. # crl_extensions = crl_ext -default_days = 365 # how long to certify for +default_days = 730 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = default # use public key default MD preserve = no # keep passed DN ordering @@ -103,7 +103,7 @@ emailAddress = optional #################################################################### [ req ] -default_bits = 1024 +default_bits = 2048 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes @@ -131,19 +131,20 @@ countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = Some-State +stateOrProvinceName_default = Unknown localityName = Locality Name (eg, city) +localityName_default = Unknown 0.organizationName = Organization Name (eg, company) -0.organizationName_default = Internet Widgits Pty Ltd +0.organizationName_default = psych0tik network # we can do this but it is not needed normally :-) #1.organizationName = Second Organization Name (eg, company) #1.organizationName_default = World Wide Web Pty Ltd 0.organizationalUnitName = Organizational Unit Name (eg, section) -#0.organizationalUnitName_default = +0.organizationalUnitName_default = IRC #1.organizationalUnitName = Organizational Unit Name (eg, section) #1.organizationalUnitName_default = @@ -153,6 +154,7 @@ commonName_max = 64 emailAddress = Email Address emailAddress_max = 64 +emailAddress_default = irc-staff@psych0tik.net # SET-ex3 = SET extension number 3 @@ -189,6 +191,11 @@ basicConstraints=CA:FALSE # This is typical in keyUsage for a client certificate. # keyUsage = nonRepudiation, digitalSignature, keyEncipherment +keyUsage = keyEncipherment, digitalSignature + +# Extended key usage +extendedKeyUsage=serverAuth, msSGC, nsSGC +nsCertType=server # This will be displayed in Netscape's comment listbox. nsComment = "OpenSSL Generated Certificate" @@ -245,10 +252,10 @@ basicConstraints = CA:true # Key usage: this is typical for a CA certificate. However since it will # prevent it being used as an test self-signed certificate it is best # left out by default. -# keyUsage = cRLSign, keyCertSign +keyUsage = cRLSign, keyCertSign # Some might want this also -# nsCertType = sslCA, emailCA +nsCertType = sslCA # Include email address in subject alt name: another PKIX recommendation # subjectAltName=email:copy @@ -296,7 +303,7 @@ basicConstraints=CA:FALSE # keyUsage = nonRepudiation, digitalSignature, keyEncipherment # This will be displayed in Netscape's comment listbox. -nsComment = "OpenSSL Generated Certificate" +# nsComment = "OpenSSL Generated Certificate" # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash