Skip to Content.
Sympa Menu

cacert-devel - Patch request: Bug #540

Subject: CAcert Code Development list.

List archive

Patch request: Bug #540


Chronological Thread 
  • From: Michael Tänzer <michael.taenzer AT cacert.org>
  • To: "critical-admin AT cacert.org" <critical-admin AT cacert.org>
  • Cc: cacert-devel AT lists.cacert.org, Ulrich Schröter CAce rt <ulrich AT cacert.org>, Dirk Astrath <dirk.astrath AT cacert.org>, Daniel Wagner <dwkwaxi AT gmail.com>, Marcus Mängel <inopiae AT cacert.org>, Kenneth Van Wyk <ken AT krvw.com>
  • Subject: Patch request: Bug #540
  • Date: Wed, 25 Jul 2012 00:07:51 +0200
  • Openpgp: id=9940BEF1
Hi folks,

We have a fix for https://bugs.cacert.org/view.php?id=540
"No key usage attribute in cacert org certs anymore?"

The fix was reviewed by Dirk Astrath (dastrath) and me (NEOatNHNG) and
tested by Ulrich Schröter (Uli60), Daniel Wagner (Kwaxi), Marcus Mängel
(INOPIAE) and Kenneth Van Wyk.

Diff is attached (bug-540.diff). Please also run the locale makefile so
that our
translators see the new strings (if present) on
https://translations.cacert.org and new translations get imported into
the system.


The patch also needs to be applied to the signing server and
additionally the changes found in the svn_bug-540.diff need to be
applied to the openssl config files on the signer.


Changed files:
CommModule/server.pl
www/policy/CertificationPracticeStatement.php


-- 
Have a nice day,
Michael Tänzer
diff --git a/CommModule/server.pl b/CommModule/server.pl
index eb5113a..c70bc9a 100755
--- a/CommModule/server.pl
+++ b/CommModule/server.pl
@@ -502,9 +502,28 @@ sub SignX509($$$$$$$$)
   {
     open OUT,">$wid/extfile";
     print OUT "basicConstraints = critical, CA:FALSE\n";
+    print OUT "keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement\n";
     print OUT "extendedKeyUsage = clientAuth, serverAuth, nsSGC, msSGC\n";
-    print OUT "keyUsage = digitalSignature, keyEncipherment\n";
     print OUT "authorityInfoAccess = OCSP;URI:$OCSPUrl\n";
+    
+    my $CRLUrl="";
+    if($root==0)
+    {
+        $CRLUrl="http://crl.cacert.org/revoke.crl";;
+    }
+    elsif($root==1)
+    {
+        $CRLUrl="http://crl.cacert.org/class3-revoke.crl";;
+    }
+    elsif($root==2)
+    {
+        $CRLUrl="http://crl.cacert.org/class3s-revoke.crl";;
+    }
+    else
+    {
+        $CRLUrl="http://crl.cacert.org/root${root}.crl";;
+    }
+    print OUT "crlDistributionPoints = URI:${CRLUrl}\n";
     print OUT "subjectAltName = $san\n" if(length($san));
     close OUT;
     $extfile=" -extfile $wid/extfile ";
diff --git a/www/policy/CertificationPracticeStatement.php b/www/policy/CertificationPracticeStatement.php
index e17056b..2a9bd11 100644
--- a/www/policy/CertificationPracticeStatement.php
+++ b/www/policy/CertificationPracticeStatement.php
@@ -3203,54 +3203,50 @@ The form of the PGP signatures depends on several factors, therefore no stipulat
 <h4><a name="p7.1.2" id="p7.1.2">7.1.2. Certificate extensions</a></h4>
 
 <p>
-Client certificates include the following extensions:.
+  Client certificates include the following extensions:
 </p>
-<ul><li>
-    basicConstraints=CA:FALSE (critical)
-  </li><li>
-    keyUsage=digitalSignature,keyEncipherment,cRLSign
-  </li><li>
-  </li><li>
-    extendedKeyUsage=emailProtection,clientAuth,serverAuth,msEFS,msSGC,nsSGC
-  </li><li>
-    authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
-  </li><li>
-    subjectAltName=(as per <a href="#p3.1.1">&sect;3.1.1.</a>).
-</li></ul>
+<ul>
+  <li>basicConstraints=CA:FALSE (critical)</li>
+  <li>keyUsage=digitalSignature,keyEncipherment,keyAgreement (critical)</li>
+  <li>extendedKeyUsage=emailProtection,clientAuth,msEFS,msSGC,nsSGC</li>
+  <li>authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org</li>
+  <li>crlDistributionPoints=URI:&lt;crlUri&gt; where &lt;crlUri&gt; is replaced 
+    with the URI where the certificate revocation list relating to the 
+    certificate is found</li>
+  <li>subjectAltName=(as per <a href="#p3.1.1">&sect;3.1.1.</a>).</li>
+</ul>
   <ul class="q">
     <li> what about Client Certificates Adobe Signing extensions ?</li>
     <li> SubjectAltName should become critical if DN is removed http://tools.ietf.org/html/rfc5280#section-4.2.1.6</li>
   </ul>
 
-
 <p>
-Server certificates include the following extensions:
+  Server certificates include the following extensions:
 </p>
-<ul><li>
-    basicConstraints=CA:FALSE (critical)
-  </li><li>
-    keyUsage=digitalSignature,keyEncipherment
-  </li><li>
-    extendedKeyUsage=clientAuth,serverAuth,nsSGC,msSGC
-  </li><li>
-    authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
-  </li><li>
-    subjectAltName=(as per <a href="#p3.1.1">&sect;3.1.1.</a>).
-</li></ul>
+<ul>
+  <li>basicConstraints=CA:FALSE (critical)</li>
+  <li>keyUsage=digitalSignature,keyEncipherment,keyAgreement (critical)</li>
+  <li>extendedKeyUsage=clientAuth,serverAuth,nsSGC,msSGC</li>
+  <li>authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org</li>
+  <li>crlDistributionPoints=URI:&lt;crlUri&gt; where &lt;crlUri&gt; is replaced 
+    with the URI where the certificate revocation list relating to the 
+    certificate is found</li>
+  <li>subjectAltName=(as per <a href="#p3.1.1">&sect;3.1.1.</a>).</li>
+</ul>
 
 <p>
-Code-Signing certificates include the following extensions:
+  Code-Signing certificates include the following extensions:
 </p>
-
-<ul><li>
-    basicConstraints=CA:FALSE (critical)
-  </li><li>
-    keyUsage=digitalSignature,keyEncipherment
-  </li><li>
-    extendedKeyUsage=emailProtection,clientAuth,codeSigning,msCodeInd,msCodeCom,msEFS,msSGC,nsSGC
-  </li><li>
-    authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
-</li></ul>
+<ul>
+  <li>basicConstraints=CA:FALSE (critical)</li>
+  <li>keyUsage=digitalSignature,keyEncipherment,keyAgreement (critical)</li>
+  <li>extendedKeyUsage=emailProtection,clientAuth,codeSigning,msCodeInd,msCodeCom,msEFS,msSGC,nsSGC</li>
+  <li>authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org</li>
+  <li>crlDistributionPoints=URI:&lt;crlUri&gt; where &lt;crlUri&gt; is replaced 
+    with the URI where the certificate revocation list relating to the 
+    certificate is found</li>
+  <li>subjectAltName=(as per <a href="#p3.1.1">&sect;3.1.1.</a>).</li>
+</ul>
   <ul class="q">
     <li> what about subjectAltName for Code-signing</li>
   </ul>

Index: ssl/openssl-server-org.cnf
===================================================================
--- ssl/openssl-server-org.cnf	(revision 2336)
+++ ssl/openssl-server-org.cnf	(working copy)
@@ -145,12 +145,14 @@
 unstructuredName		= An optional company name
 
 [ usr_cert ]
-basicConstraints= critical, CA:FALSE
-extendedKeyUsage= clientAuth, serverAuth, nsSGC, msSGC
-keyUsage = digitalSignature, keyEncipherment
-authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
-crlDistributionPoints           = URI:http://www.CAcert.org/revoke.crl
 
+basicConstraints        = critical, CA:FALSE
+keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage        = clientAuth, serverAuth, nsSGC, msSGC
+authorityInfoAccess     = OCSP;URI:http://ocsp.cacert.org
+crlDistributionPoints   = URI:http://crl.cacert.org/revoke.crl
+
+
 [ v3_req ]
 
 basicConstraints = CA:FALSE
Index: ssl/class3s-ocsp.cnf
===================================================================
--- ssl/class3s-ocsp.cnf	(revision 2336)
+++ ssl/class3s-ocsp.cnf	(working copy)
@@ -141,10 +141,12 @@
 
 [ usr_cert ]
 
-basicConstraints=critical,CA:FALSE
-extendedKeyUsage=clientAuth,serverAuth,OCSPSigning
+basicConstraints        = critical, CA:FALSE
+keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage        = serverAuth, OCSPSigning, nsSGC, msSGC
+# no authorityInfoAccess to avoid loops
+crlDistributionPoints   = URI:http://crl.cacert.org/class3s-revoke.crl
 
-subjectAltName=email:copy
 
 [ v3_req ]
 
Index: ssl/class3s-server.cnf
===================================================================
--- ssl/class3s-server.cnf	(revision 2336)
+++ ssl/class3s-server.cnf	(working copy)
@@ -145,12 +145,14 @@
 unstructuredName		= An optional company name
 
 [ usr_cert ]
-basicConstraints= critical, CA:FALSE
-extendedKeyUsage= clientAuth, serverAuth, nsSGC, msSGC
-keyUsage = digitalSignature, keyEncipherment
-authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
-crlDistributionPoints           = URI:http://www.CAcert.org/class3s-revoke.crl
 
+basicConstraints        = critical, CA:FALSE
+keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage        = clientAuth, serverAuth, nsSGC, msSGC
+authorityInfoAccess     = OCSP;URI:http://ocsp.cacert.org
+crlDistributionPoints   = URI:http://crl.cacert.org/class3s-revoke.crl
+
+
 [ v3_req ]
 
 basicConstraints = CA:FALSE
Index: ssl/class3s-client-codesign.cnf
===================================================================
--- ssl/class3s-client-codesign.cnf	(revision 2336)
+++ ssl/class3s-client-codesign.cnf	(working copy)
@@ -141,12 +141,15 @@
 
 [ usr_cert ]
 
-basicConstraints=critical,CA:FALSE
-nsComment="To get your own certificate for FREE head over to http://www.CAcert.org";
-extendedKeyUsage=emailProtection,clientAuth,codeSigning,msCodeInd,msCodeCom,msEFS,msSGC,nsSGC
-authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
-subjectAltName=email:copy
+basicConstraints        = critical, CA:FALSE
+nsComment               = "To get your own certificate for FREE head over to http://www.CAcert.org";
+keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage        = emailProtection, clientAuth, codeSigning, msCodeInd, msCodeCom, msEFS, msSGC, nsSGC
+authorityInfoAccess     = OCSP;URI:http://ocsp.cacert.org
+crlDistributionPoints   = URI:http://crl.cacert.org/class3s-revoke.crl
+subjectAltName          = email:copy
 
+
 [ v3_req ]
 
 basicConstraints = CA:FALSE
Index: ssl/class3-server-org.cnf
===================================================================
--- ssl/class3-server-org.cnf	(revision 2336)
+++ ssl/class3-server-org.cnf	(working copy)
@@ -145,12 +145,14 @@
 unstructuredName		= An optional company name
 
 [ usr_cert ]
-basicConstraints= critical, CA:FALSE
-extendedKeyUsage= clientAuth, serverAuth, nsSGC, msSGC
-keyUsage = digitalSignature, keyEncipherment
-authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
-crlDistributionPoints           = URI:http://www.CAcert.org/class3-revoke.crl
 
+basicConstraints        = critical, CA:FALSE
+keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage        = clientAuth, serverAuth, nsSGC, msSGC
+authorityInfoAccess     = OCSP;URI:http://ocsp.cacert.org
+crlDistributionPoints   = URI:http://crl.cacert.org/class3-revoke.crl
+
+
 [ v3_req ]
 
 basicConstraints = CA:FALSE
Index: ssl/openssl-client-org.cnf
===================================================================
--- ssl/openssl-client-org.cnf	(revision 2336)
+++ ssl/openssl-client-org.cnf	(working copy)
@@ -141,12 +141,15 @@
 
 [ usr_cert ]
 
-basicConstraints=critical,CA:FALSE
-nsComment			= "To get your own certificate for FREE head over to http://www.CAcert.org";
-extendedKeyUsage=emailProtection,clientAuth,msEFS,msSGC,nsSGC
-authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
-subjectAltName=email:copy
+basicConstraints        = critical, CA:FALSE
+nsComment               = "To get your own certificate for FREE head over to http://www.CAcert.org";
+keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage        = emailProtection, clientAuth, msEFS, msSGC, nsSGC
+authorityInfoAccess     = OCSP;URI:http://ocsp.cacert.org
+crlDistributionPoints   = URI:http://crl.cacert.org/revoke.crl
+subjectAltName          = email:copy
 
+
 [ v3_req ]
 
 basicConstraints = CA:FALSE
Index: ssl/openssl-ocsp.cnf
===================================================================
--- ssl/openssl-ocsp.cnf	(revision 2336)
+++ ssl/openssl-ocsp.cnf	(working copy)
@@ -141,10 +141,12 @@
 
 [ usr_cert ]
 
-basicConstraints=critical,CA:FALSE
-extendedKeyUsage=clientAuth,serverAuth,OCSPSigning
+basicConstraints        = critical, CA:FALSE
+keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage        = serverAuth, OCSPSigning, nsSGC, msSGC
+# no authorityInfoAccess to avoid loops
+crlDistributionPoints   = URI:http://crl.cacert.org/revoke.crl
 
-subjectAltName=email:copy
 
 [ v3_req ]
 
Index: ssl/class3s-client.cnf
===================================================================
--- ssl/class3s-client.cnf	(revision 2336)
+++ ssl/class3s-client.cnf	(working copy)
@@ -141,12 +141,15 @@
 
 [ usr_cert ]
 
-basicConstraints=critical,CA:FALSE
-nsComment			= "To get your own certificate for FREE head over to http://www.CAcert.org";
-extendedKeyUsage=emailProtection,clientAuth,msEFS,msSGC,nsSGC
-authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
-subjectAltName=email:copy
+basicConstraints        = critical, CA:FALSE
+nsComment               = "To get your own certificate for FREE head over to http://www.CAcert.org";
+keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage        = emailProtection, clientAuth, msEFS, msSGC, nsSGC
+authorityInfoAccess     = OCSP;URI:http://ocsp.cacert.org
+crlDistributionPoints   = URI:http://crl.cacert.org/class3s-revoke.crl
+subjectAltName          = email:copy
 
+
 [ v3_req ]
 
 basicConstraints = CA:FALSE
Index: ssl/openssl-server.cnf
===================================================================
--- ssl/openssl-server.cnf	(revision 2336)
+++ ssl/openssl-server.cnf	(working copy)
@@ -145,12 +145,14 @@
 unstructuredName		= An optional company name
 
 [ usr_cert ]
-basicConstraints= critical, CA:FALSE
-extendedKeyUsage= clientAuth, serverAuth, nsSGC, msSGC
-keyUsage = digitalSignature, keyEncipherment
-authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
-crlDistributionPoints           = URI:http://www.CAcert.org/revoke.crl
 
+basicConstraints        = critical, CA:FALSE
+keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage        = clientAuth, serverAuth, nsSGC, msSGC
+authorityInfoAccess     = OCSP;URI:http://ocsp.cacert.org
+crlDistributionPoints   = URI:http://crl.cacert.org/revoke.crl
+
+
 [ v3_req ]
 
 basicConstraints = CA:FALSE
Index: ssl/openssl-client-codesign.cnf
===================================================================
--- ssl/openssl-client-codesign.cnf	(revision 2336)
+++ ssl/openssl-client-codesign.cnf	(working copy)
@@ -141,12 +141,15 @@
 
 [ usr_cert ]
 
-basicConstraints=critical,CA:FALSE
-nsComment="To get your own certificate for FREE head over to http://www.CAcert.org";
-extendedKeyUsage=emailProtection,clientAuth,codeSigning,msCodeInd,msCodeCom,msEFS,msSGC,nsSGC
-authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
-subjectAltName=email:copy
+basicConstraints        = critical, CA:FALSE
+nsComment               = "To get your own certificate for FREE head over to http://www.CAcert.org";
+keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage        = emailProtection, clientAuth, codeSigning, msCodeInd, msCodeCom, msEFS, msSGC, nsSGC
+authorityInfoAccess     = OCSP;URI:http://ocsp.cacert.org
+crlDistributionPoints   = URI:http://crl.cacert.org/revoke.crl
+subjectAltName          = email:copy
 
+
 [ v3_req ]
 
 basicConstraints = CA:FALSE
Index: ssl/class3-client-org.cnf
===================================================================
--- ssl/class3-client-org.cnf	(revision 2336)
+++ ssl/class3-client-org.cnf	(working copy)
@@ -141,12 +141,15 @@
 
 [ usr_cert ]
 
-basicConstraints=critical,CA:FALSE
-nsComment			= "To get your own certificate for FREE head over to http://www.CAcert.org";
-extendedKeyUsage=emailProtection,clientAuth,msEFS,msSGC,nsSGC
-authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
-subjectAltName=email:copy
+basicConstraints        = critical, CA:FALSE
+nsComment               = "To get your own certificate for FREE head over to http://www.CAcert.org";
+keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage        = emailProtection, clientAuth, msEFS, msSGC, nsSGC
+authorityInfoAccess     = OCSP;URI:http://ocsp.cacert.org
+crlDistributionPoints   = URI:http://crl.cacert.org/class3-revoke.crl
+subjectAltName          = email:copy
 
+
 [ v3_req ]
 
 basicConstraints = CA:FALSE
Index: ssl/class3-ocsp.cnf
===================================================================
--- ssl/class3-ocsp.cnf	(revision 2336)
+++ ssl/class3-ocsp.cnf	(working copy)
@@ -141,11 +141,12 @@
 
 [ usr_cert ]
 
-basicConstraints=critical,CA:FALSE
-extendedKeyUsage=clientAuth,serverAuth,OCSPSigning
+basicConstraints        = critical, CA:FALSE
+keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage        = serverAuth, OCSPSigning, nsSGC, msSGC
+# no authorityInfoAccess to avoid loops
+crlDistributionPoints   = URI:http://crl.cacert.org/class3-revoke.crl
 
-subjectAltName=email:copy
-
 [ v3_req ]
 
 basicConstraints = CA:FALSE
Index: ssl/class3-server.cnf
===================================================================
--- ssl/class3-server.cnf	(revision 2336)
+++ ssl/class3-server.cnf	(working copy)
@@ -145,12 +145,14 @@
 unstructuredName		= An optional company name
 
 [ usr_cert ]
-basicConstraints= critical, CA:FALSE
-extendedKeyUsage= clientAuth, serverAuth, nsSGC, msSGC
-keyUsage = digitalSignature, keyEncipherment
-authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
-crlDistributionPoints           = URI:http://www.CAcert.org/class3-revoke.crl
 
+basicConstraints        = critical, CA:FALSE
+keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage        = clientAuth, serverAuth, nsSGC, msSGC
+authorityInfoAccess     = OCSP;URI:http://ocsp.cacert.org
+crlDistributionPoints   = URI:http://crl.cacert.org/class3-revoke.crl
+
+
 [ v3_req ]
 
 basicConstraints = CA:FALSE
Index: ssl/class3-client-codesign.cnf
===================================================================
--- ssl/class3-client-codesign.cnf	(revision 2336)
+++ ssl/class3-client-codesign.cnf	(working copy)
@@ -141,12 +141,15 @@
 
 [ usr_cert ]
 
-basicConstraints=critical,CA:FALSE
-nsComment			= "To get your own certificate for FREE head over to http://www.CAcert.org";
-extendedKeyUsage=emailProtection,clientAuth,codeSigning,msCodeInd,msCodeCom,msEFS,msSGC,nsSGC
-authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
-subjectAltName=email:copy
+basicConstraints        = critical, CA:FALSE
+nsComment               = "To get your own certificate for FREE head over to http://www.CAcert.org";
+keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage        = emailProtection, clientAuth, codeSigning, msCodeInd, msCodeCom, msEFS, msSGC, nsSGC
+authorityInfoAccess     = OCSP;URI:http://ocsp.cacert.org
+crlDistributionPoints   = URI:http://crl.cacert.org/class3-revoke.crl
+subjectAltName          = email:copy
 
+
 [ v3_req ]
 
 basicConstraints = CA:FALSE
Index: ssl/openssl-client.cnf
===================================================================
--- ssl/openssl-client.cnf	(revision 2336)
+++ ssl/openssl-client.cnf	(working copy)
@@ -141,12 +141,15 @@
 
 [ usr_cert ]
 
-basicConstraints=critical,CA:FALSE
-nsComment			= "To get your own certificate for FREE head over to http://www.CAcert.org";
-extendedKeyUsage=emailProtection,clientAuth,msEFS,msSGC,nsSGC
-authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
-subjectAltName=email:copy
+basicConstraints        = critical, CA:FALSE
+nsComment               = "To get your own certificate for FREE head over to http://www.CAcert.org";
+keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage        = emailProtection, clientAuth, msEFS, msSGC, nsSGC
+authorityInfoAccess     = OCSP;URI:http://ocsp.cacert.org
+crlDistributionPoints   = URI:http://crl.cacert.org/revoke.crl
+subjectAltName          = email:copy
 
+
 [ v3_req ]
 
 basicConstraints = CA:FALSE
Index: ssl/root3/server-org.cnf
===================================================================
--- ssl/root3/server-org.cnf	(revision 2336)
+++ ssl/root3/server-org.cnf	(working copy)
@@ -145,12 +145,14 @@
 unstructuredName		= An optional company name
 
 [ usr_cert ]
-basicConstraints= critical, CA:FALSE
-extendedKeyUsage= clientAuth, serverAuth, nsSGC, msSGC
-keyUsage = digitalSignature, keyEncipherment
-authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
-crlDistributionPoints           = URI:http://www.CAcert.org/root3.crl
 
+basicConstraints        = critical, CA:FALSE
+keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage        = clientAuth, serverAuth, nsSGC, msSGC
+authorityInfoAccess     = OCSP;URI:http://ocsp.cacert.org
+crlDistributionPoints   = URI:http://crl.cacert.org/root3.crl
+
+
 [ v3_req ]
 
 basicConstraints = CA:FALSE
Index: ssl/root3/client.cnf
===================================================================
--- ssl/root3/client.cnf	(revision 2336)
+++ ssl/root3/client.cnf	(working copy)
@@ -141,12 +141,15 @@
 
 [ usr_cert ]
 
-basicConstraints=critical,CA:FALSE
-nsComment			= "To get your own certificate for FREE head over to http://www.CAcert.org";
-extendedKeyUsage=emailProtection,clientAuth,msEFS,msSGC,nsSGC
-authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
-subjectAltName=email:copy
+basicConstraints        = critical, CA:FALSE
+nsComment               = "To get your own certificate for FREE head over to http://www.CAcert.org";
+keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage        = emailProtection, clientAuth, msEFS, msSGC, nsSGC
+authorityInfoAccess     = OCSP;URI:http://ocsp.cacert.org
+crlDistributionPoints   = URI:http://crl.cacert.org/root3.crl
+subjectAltName          = email:copy
 
+
 [ v3_req ]
 
 basicConstraints = CA:FALSE
Index: ssl/root3/client-org.cnf
===================================================================
--- ssl/root3/client-org.cnf	(revision 2336)
+++ ssl/root3/client-org.cnf	(working copy)
@@ -141,12 +141,15 @@
 
 [ usr_cert ]
 
-basicConstraints=critical,CA:FALSE
-nsComment			= "To get your own certificate for FREE head over to http://www.CAcert.org";
-extendedKeyUsage=emailProtection,clientAuth,msEFS,msSGC,nsSGC
-authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
-subjectAltName=email:copy
+basicConstraints        = critical, CA:FALSE
+nsComment               = "To get your own certificate for FREE head over to http://www.CAcert.org";
+keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage        = emailProtection, clientAuth, msEFS, msSGC, nsSGC
+authorityInfoAccess     = OCSP;URI:http://ocsp.cacert.org
+crlDistributionPoints   = URI:http://crl.cacert.org/root3.crl
+subjectAltName          = email:copy
 
+
 [ v3_req ]
 
 basicConstraints = CA:FALSE
Index: ssl/root3/ocsp.cnf
===================================================================
--- ssl/root3/ocsp.cnf	(revision 2336)
+++ ssl/root3/ocsp.cnf	(working copy)
@@ -141,10 +141,12 @@
 
 [ usr_cert ]
 
-basicConstraints=critical,CA:FALSE
-extendedKeyUsage=clientAuth,serverAuth,OCSPSigning
+basicConstraints        = critical, CA:FALSE
+keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage        = serverAuth, OCSPSigning, nsSGC, msSGC
+# no authorityInfoAccess to avoid loops
+crlDistributionPoints   = URI:http://crl.cacert.org/root3.crl
 
-subjectAltName=email:copy
 
 [ v3_req ]
 
Index: ssl/root3/server.cnf
===================================================================
--- ssl/root3/server.cnf	(revision 2336)
+++ ssl/root3/server.cnf	(working copy)
@@ -145,12 +145,14 @@
 unstructuredName		= An optional company name
 
 [ usr_cert ]
-basicConstraints= critical, CA:FALSE
-extendedKeyUsage= clientAuth, serverAuth, nsSGC, msSGC
-keyUsage = digitalSignature, keyEncipherment
-authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
-crlDistributionPoints           = URI:http://www.CAcert.org/root3.crl
 
+basicConstraints        = critical, CA:FALSE
+keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage        = clientAuth, serverAuth, nsSGC, msSGC
+authorityInfoAccess     = OCSP;URI:http://ocsp.cacert.org
+crlDistributionPoints   = URI:http://crl.cacert.org/root3.crl
+
+
 [ v3_req ]
 
 basicConstraints = CA:FALSE
Index: ssl/root3/client-codesign.cnf
===================================================================
--- ssl/root3/client-codesign.cnf	(revision 2336)
+++ ssl/root3/client-codesign.cnf	(working copy)
@@ -141,12 +141,15 @@
 
 [ usr_cert ]
 
-basicConstraints=critical,CA:FALSE
-nsComment="To get your own certificate for FREE head over to http://www.CAcert.org";
-extendedKeyUsage=emailProtection,clientAuth,codeSigning,msCodeInd,msCodeCom,msEFS,msSGC,nsSGC
-authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
-subjectAltName=email:copy
+basicConstraints        = critical, CA:FALSE
+nsComment               = "To get your own certificate for FREE head over to http://www.CAcert.org";
+keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage        = emailProtection, clientAuth, codeSigning, msCodeInd, msCodeCom, msEFS, msSGC, nsSGC
+authorityInfoAccess     = OCSP;URI:http://ocsp.cacert.org
+crlDistributionPoints   = URI:http://crl.cacert.org/root3.crl
+subjectAltName          = email:copy
 
+
 [ v3_req ]
 
 basicConstraints = CA:FALSE
Index: ssl/root4/server-org.cnf
===================================================================
--- ssl/root4/server-org.cnf	(revision 2336)
+++ ssl/root4/server-org.cnf	(working copy)
@@ -145,12 +145,14 @@
 unstructuredName		= An optional company name
 
 [ usr_cert ]
-basicConstraints= critical, CA:FALSE
-extendedKeyUsage= clientAuth, serverAuth, nsSGC, msSGC
-keyUsage = digitalSignature, keyEncipherment
-authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
-crlDistributionPoints           = URI:http://www.CAcert.org/root4.crl
 
+basicConstraints        = critical, CA:FALSE
+keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage        = clientAuth, serverAuth, nsSGC, msSGC
+authorityInfoAccess     = OCSP;URI:http://ocsp.cacert.org
+crlDistributionPoints   = URI:http://crl.cacert.org/root4.crl
+
+
 [ v3_req ]
 
 basicConstraints = CA:FALSE
Index: ssl/root4/client.cnf
===================================================================
--- ssl/root4/client.cnf	(revision 2336)
+++ ssl/root4/client.cnf	(working copy)
@@ -141,12 +141,15 @@
 
 [ usr_cert ]
 
-basicConstraints=critical,CA:FALSE
-nsComment			= "To get your own certificate for FREE head over to http://www.CAcert.org";
-extendedKeyUsage=emailProtection,clientAuth,msEFS,msSGC,nsSGC
-authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
-subjectAltName=email:copy
+basicConstraints        = critical, CA:FALSE
+nsComment               = "To get your own certificate for FREE head over to http://www.CAcert.org";
+keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage        = emailProtection, clientAuth, msEFS, msSGC, nsSGC
+authorityInfoAccess     = OCSP;URI:http://ocsp.cacert.org
+crlDistributionPoints   = URI:http://crl.cacert.org/root4.crl
+subjectAltName          = email:copy
 
+
 [ v3_req ]
 
 basicConstraints = CA:FALSE
Index: ssl/root4/client-org.cnf
===================================================================
--- ssl/root4/client-org.cnf	(revision 2336)
+++ ssl/root4/client-org.cnf	(working copy)
@@ -141,12 +141,15 @@
 
 [ usr_cert ]
 
-basicConstraints=critical,CA:FALSE
-nsComment			= "To get your own certificate for FREE head over to http://www.CAcert.org";
-extendedKeyUsage=emailProtection,clientAuth,msEFS,msSGC,nsSGC
-authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
-subjectAltName=email:copy
+basicConstraints        = critical, CA:FALSE
+nsComment               = "To get your own certificate for FREE head over to http://www.CAcert.org";
+keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage        = emailProtection, clientAuth, msEFS, msSGC, nsSGC
+authorityInfoAccess     = OCSP;URI:http://ocsp.cacert.org
+crlDistributionPoints   = URI:http://crl.cacert.org/root4.crl
+subjectAltName          = email:copy
 
+
 [ v3_req ]
 
 basicConstraints = CA:FALSE
Index: ssl/root4/ocsp.cnf
===================================================================
--- ssl/root4/ocsp.cnf	(revision 2336)
+++ ssl/root4/ocsp.cnf	(working copy)
@@ -141,10 +141,12 @@
 
 [ usr_cert ]
 
-basicConstraints=critical,CA:FALSE
-extendedKeyUsage=clientAuth,serverAuth,OCSPSigning
+basicConstraints        = critical, CA:FALSE
+keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage        = serverAuth, OCSPSigning, nsSGC, msSGC
+# no authorityInfoAccess to avoid loops
+crlDistributionPoints   = URI:http://crl.cacert.org/root4.crl
 
-subjectAltName=email:copy
 
 [ v3_req ]
 
Index: ssl/root4/server.cnf
===================================================================
--- ssl/root4/server.cnf	(revision 2336)
+++ ssl/root4/server.cnf	(working copy)
@@ -145,12 +145,14 @@
 unstructuredName		= An optional company name
 
 [ usr_cert ]
-basicConstraints= critical, CA:FALSE
-extendedKeyUsage= clientAuth, serverAuth, nsSGC, msSGC
-keyUsage = digitalSignature, keyEncipherment
-authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
-crlDistributionPoints           = URI:http://www.CAcert.org/root4.crl
 
+basicConstraints        = critical, CA:FALSE
+keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage        = clientAuth, serverAuth, nsSGC, msSGC
+authorityInfoAccess     = OCSP;URI:http://ocsp.cacert.org
+crlDistributionPoints   = URI:http://crl.cacert.org/root4.crl
+
+
 [ v3_req ]
 
 basicConstraints = CA:FALSE
Index: ssl/root4/client-codesign.cnf
===================================================================
--- ssl/root4/client-codesign.cnf	(revision 2336)
+++ ssl/root4/client-codesign.cnf	(working copy)
@@ -141,12 +141,15 @@
 
 [ usr_cert ]
 
-basicConstraints=critical,CA:FALSE
-nsComment			= "To get your own certificate for FREE head over to http://www.CAcert.org";
-extendedKeyUsage=emailProtection,clientAuth,codeSigning,msCodeInd,msCodeCom,msEFS,msSGC,nsSGC
-authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
-subjectAltName=email:copy
+basicConstraints        = critical, CA:FALSE
+nsComment               = "To get your own certificate for FREE head over to http://www.CAcert.org";
+keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage        = emailProtection, clientAuth, codeSigning, msCodeInd, msCodeCom, msEFS, msSGC, nsSGC
+authorityInfoAccess     = OCSP;URI:http://ocsp.cacert.org
+crlDistributionPoints   = URI:http://crl.cacert.org/root4.crl
+subjectAltName          = email:copy
 
+
 [ v3_req ]
 
 basicConstraints = CA:FALSE
Index: ssl/class3s-server-org.cnf
===================================================================
--- ssl/class3s-server-org.cnf	(revision 2336)
+++ ssl/class3s-server-org.cnf	(working copy)
@@ -145,12 +145,14 @@
 unstructuredName		= An optional company name
 
 [ usr_cert ]
-basicConstraints= critical, CA:FALSE
-extendedKeyUsage= clientAuth, serverAuth, nsSGC, msSGC
-keyUsage = digitalSignature, keyEncipherment
 
-crlDistributionPoints           = URI:http://www.CAcert.org/class3s-revoke.crl
+basicConstraints        = critical, CA:FALSE
+keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage        = clientAuth, serverAuth, nsSGC, msSGC
+authorityInfoAccess     = OCSP;URI:http://ocsp.cacert.org
+crlDistributionPoints   = URI:http://crl.cacert.org/class3s-revoke.crl
 
+
 [ v3_req ]
 
 basicConstraints = CA:FALSE
Index: ssl/class3-client.cnf
===================================================================
--- ssl/class3-client.cnf	(revision 2336)
+++ ssl/class3-client.cnf	(working copy)
@@ -141,12 +141,15 @@
 
 [ usr_cert ]
 
-basicConstraints=critical,CA:FALSE
-nsComment			= "To get your own certificate for FREE head over to http://www.CAcert.org";
-extendedKeyUsage=emailProtection,clientAuth,msEFS,msSGC,nsSGC
-authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
-subjectAltName=email:copy
+basicConstraints        = critical, CA:FALSE
+nsComment               = "To get your own certificate for FREE head over to http://www.CAcert.org";
+keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage        = emailProtection, clientAuth, msEFS, msSGC, nsSGC
+authorityInfoAccess     = OCSP;URI:http://ocsp.cacert.org
+crlDistributionPoints   = URI:http://crl.cacert.org/class3-revoke.crl
+subjectAltName          = email:copy
 
+
 [ v3_req ]
 
 basicConstraints = CA:FALSE

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature


Archive powered by MHonArc 2.6.16.

Top of Page