Hello all!
I'm looking for ways to turn off and on features in
the "Certificate purposes" are of a certificate. I've
read over extfile and extension plus looked at
basicContraints.
I'm unclear by the documentation written for openssl, x509, ca, etc., just how to do this. Can someone please point me in the right direction?
Having just gone through a similar exercise in a round-about-way, this is controlled via the CA that signed the certificate. For example, in my world i use VeriSign's PKI and gen a cert for my apache server, and have VeriSign sign it. However, my apache server root CA, only permitted Secure Server, when i needed Client Authentication as well. Well, i looked at the Verisign/RSA Secure Server CA Certificate in the root, and sure enough, client auth was NOT enabled, so any certificate presented would also have the same eku. I called my VeriSign rep, he sent me a modified Verisign CA to replace the one above, and sure enough that fixed my problem.
The solution actually is as simple as pulling the CA in to a browser and looking at and modifying what yuu need, saving that and exporting it out for use by the server you have the SSL certs installed on.
smime.p7s
Description: S/MIME Cryptographic Signature
