> > [ x509v3_ext_client ]
> > basicConstraints=CA:FALSE
> > nsCertType = client, email #SSL Client
> ^^^^^^^^^^^^^^^^^^^
> So you really _set_ these values (which is understandable but not
> necessary as of the comment in the sample openssl.cnf!).
Yes, it's not necessary, but first, it may be necessary to set this if you
want to send encrypted/signed mails with Netscape, and second, X.509 tells
(taken from X.509 Style Guide - Peter Gutmann)
X.509 and PKIX use keyUsage and extKeyUsage to select the key to use from
a selection of keys unless the extension is marked critical, in which case
it's treated as a usage restriction...
Microsoft...has shown that it's mostly ignored...
Netscape...uses keyUsage as a key selection mechanism and uses the
cert-type extension in a complex manner described in the Netscpae
certificate extension specification.
Since the mostly used browser at TFH is netscape, I set cert-type and
keyUsage.
It seems that Netscape *really* likes that nsXXXX extensions ;)
> > keyUsage = nonRepudiation, digitalSignature, keyEncipherment
> > nsRevocationUrl = $nsRevocationUrl_def
Well, if this works I don't know exactly, at my first test NS didn't asked
the WWW-Server at all... But I'm not sure at the moment ;)
oki,
Steffen
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
