1c1
< # $FreeBSD: head/crypto/openssl/apps/openssl.cnf 142428 2005-02-25 05:49:44Z nectar $
---
> # $FreeBSD: head/crypto/openssl/apps/openssl.cnf 160817 2006-07-29 19:14:51Z simon $
48,49c48,49
< #crlnumber = $dir/crlnumber # the current crl number must be
< # commented out to leave a V1 CRL
---
> crlnumber = $dir/crlnumber # the current crl number
> # must be commented out to leave a V1 CRL
71c71
< default_md = md5 # which md to use.
---
> default_md = sha1 # which md to use.
192c192
< authorityKeyIdentifier=keyid,issuer:always
---
> authorityKeyIdentifier=keyid,issuer
261a262,314
>
> [ proxy_cert_ext ]
> # These extensions should be added when creating a proxy certificate
>
> # This goes against PKIX guidelines but some CAs do it and some software
> # requires this to avoid interpreting an end user certificate as a CA.
>
> basicConstraints=CA:FALSE
>
> # Here are some examples of the usage of nsCertType. If it is omitted
> # the certificate can be used for anything *except* object signing.
>
> # This is OK for an SSL server.
> # nsCertType = server
>
> # For an object signing certificate this would be used.
> # nsCertType = objsign
>
> # For normal client use this is typical
> # nsCertType = client, email
>
> # and for everything including object signing:
> # nsCertType = client, email, objsign
>
> # This is typical in keyUsage for a client certificate.
> # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
>
> # This will be displayed in Netscape's comment listbox.
> nsComment = "OpenSSL Generated Certificate"
>
> # PKIX recommendations harmless if included in all certificates.
> subjectKeyIdentifier=hash
> authorityKeyIdentifier=keyid,issuer:always
>
> # This stuff is for subjectAltName and issuerAltname.
> # Import the email address.
> # subjectAltName=email:copy
> # An alternative to produce certificates that aren't
> # deprecated according to PKIX.
> # subjectAltName=email:move
>
> # Copy subject details
> # issuerAltName=issuer:copy
>
> #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
> #nsBaseUrl
> #nsRevocationUrl
> #nsRenewalUrl
> #nsCaPolicyUrl
> #nsSslServerName
>
> # This really needs to be in place for it to be a proxy certificate.
> proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
< # $FreeBSD: head/crypto/openssl/apps/openssl.cnf 142428 2005-02-25 05:49:44Z nectar $
---
> # $FreeBSD: head/crypto/openssl/apps/openssl.cnf 160817 2006-07-29 19:14:51Z simon $
48,49c48,49
< #crlnumber = $dir/crlnumber # the current crl number must be
< # commented out to leave a V1 CRL
---
> crlnumber = $dir/crlnumber # the current crl number
> # must be commented out to leave a V1 CRL
71c71
< default_md = md5 # which md to use.
---
> default_md = sha1 # which md to use.
192c192
< authorityKeyIdentifier=keyid,issuer:always
---
> authorityKeyIdentifier=keyid,issuer
261a262,314
>
> [ proxy_cert_ext ]
> # These extensions should be added when creating a proxy certificate
>
> # This goes against PKIX guidelines but some CAs do it and some software
> # requires this to avoid interpreting an end user certificate as a CA.
>
> basicConstraints=CA:FALSE
>
> # Here are some examples of the usage of nsCertType. If it is omitted
> # the certificate can be used for anything *except* object signing.
>
> # This is OK for an SSL server.
> # nsCertType = server
>
> # For an object signing certificate this would be used.
> # nsCertType = objsign
>
> # For normal client use this is typical
> # nsCertType = client, email
>
> # and for everything including object signing:
> # nsCertType = client, email, objsign
>
> # This is typical in keyUsage for a client certificate.
> # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
>
> # This will be displayed in Netscape's comment listbox.
> nsComment = "OpenSSL Generated Certificate"
>
> # PKIX recommendations harmless if included in all certificates.
> subjectKeyIdentifier=hash
> authorityKeyIdentifier=keyid,issuer:always
>
> # This stuff is for subjectAltName and issuerAltname.
> # Import the email address.
> # subjectAltName=email:copy
> # An alternative to produce certificates that aren't
> # deprecated according to PKIX.
> # subjectAltName=email:move
>
> # Copy subject details
> # issuerAltName=issuer:copy
>
> #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
> #nsBaseUrl
> #nsRevocationUrl
> #nsRenewalUrl
> #nsCaPolicyUrl
> #nsSslServerName
>
> # This really needs to be in place for it to be a proxy certificate.
> proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo