1 files changed, 55 insertions, 2 deletions
diff --git a/src/lib/libssl/doc/openssl.cnf b/src/lib/libssl/doc/openssl.cnf
index 854d1f164e..4c1d595b0a 100644
--- a/src/lib/libssl/doc/openssl.cnf
+++ b/src/lib/libssl/doc/openssl.cnf
@@ -44,8 +44,8 @@ new_certs_dir	= $dir/newcerts		# default place for new certs.
 certificate     = $dir/cacert.pem       # The CA certificate
 serial          = $dir/serial           # The current serial number
-#crlnumber      = $dir/crlnumber        # the current crl number
+#crlnumber      = $dir/crlnumber        # the current crl number must be
-                                        # must be commented out to leave a V1 CRL
+                                        # commented out to leave a V1 CRL
 crl             = $dir/crl.pem          # The current CRL
 private_key     = $dir/private/cakey.pem# The private key
 RANDFILE        = $dir/private/.rand    # private random number file
@@ -258,3 +258,56 @@ basicConstraints = CA:true
 # issuerAltName=issuer:copy
 authorityKeyIdentifier=keyid:always,issuer:always
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+basicConstraints=CA:FALSE
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+# This is OK for an SSL server.
+# nsCertType                    = server
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+# For normal client use this is typical
+# nsCertType = client, email
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+# This will be displayed in Netscape's comment listbox.
+nsComment                       = "OpenSSL Generated Certificate"
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+# Copy subject details
+# issuerAltName=issuer:copy
+#nsCaRevocationUrl              = http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo

diff --git a/src/lib/libssl/doc/openssl.cnf b/src/lib/libssl/doc/openssl.cnf index 854d1f164e..4c1d595b0a 100644 --- a/src/lib/libssl/doc/openssl.cnf +++ b/src/lib/libssl/doc/openssl.cnf
@@ -44,8 +44,8 @@ new_certs_dir = $dir/newcerts # default place for new certs.
44		44
45	certificate = $dir/cacert.pem # The CA certificate	45	certificate = $dir/cacert.pem # The CA certificate
46	serial = $dir/serial # The current serial number	46	serial = $dir/serial # The current serial number
47	#crlnumber = $dir/crlnumber # the current crl number	47	#crlnumber = $dir/crlnumber # the current crl number must be
48	# must be commented out to leave a V1 CRL	48	# commented out to leave a V1 CRL
49	crl = $dir/crl.pem # The current CRL	49	crl = $dir/crl.pem # The current CRL
50	private_key = $dir/private/cakey.pem# The private key	50	private_key = $dir/private/cakey.pem# The private key
51	RANDFILE = $dir/private/.rand # private random number file	51	RANDFILE = $dir/private/.rand # private random number file
@@ -258,3 +258,56 @@ basicConstraints = CA:true
258		258
259	# issuerAltName=issuer:copy	259	# issuerAltName=issuer:copy
260	authorityKeyIdentifier=keyid:always,issuer:always	260	authorityKeyIdentifier=keyid:always,issuer:always
		261
		262	[ proxy_cert_ext ]
		263	# These extensions should be added when creating a proxy certificate
		264
		265	# This goes against PKIX guidelines but some CAs do it and some software
		266	# requires this to avoid interpreting an end user certificate as a CA.
		267
		268	basicConstraints=CA:FALSE
		269
		270	# Here are some examples of the usage of nsCertType. If it is omitted
		271	# the certificate can be used for anything except object signing.
		272
		273	# This is OK for an SSL server.
		274	# nsCertType = server
		275
		276	# For an object signing certificate this would be used.
		277	# nsCertType = objsign
		278
		279	# For normal client use this is typical
		280	# nsCertType = client, email
		281
		282	# and for everything including object signing:
		283	# nsCertType = client, email, objsign
		284
		285	# This is typical in keyUsage for a client certificate.
		286	# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
		287
		288	# This will be displayed in Netscape's comment listbox.
		289	nsComment = "OpenSSL Generated Certificate"
		290
		291	# PKIX recommendations harmless if included in all certificates.
		292	subjectKeyIdentifier=hash
		293	authorityKeyIdentifier=keyid,issuer:always
		294
		295	# This stuff is for subjectAltName and issuerAltname.
		296	# Import the email address.
		297	# subjectAltName=email:copy
		298	# An alternative to produce certificates that aren't
		299	# deprecated according to PKIX.
		300	# subjectAltName=email:move
		301
		302	# Copy subject details
		303	# issuerAltName=issuer:copy
		304
		305	#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
		306	#nsBaseUrl
		307	#nsRevocationUrl
		308	#nsRenewalUrl
		309	#nsCaPolicyUrl
		310	#nsSslServerName
		311
		312	# This really needs to be in place for it to be a proxy certificate.
		313	proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo