From d8579502b71be44b4bc0ac0ca7144cbecf6ae2d3 Mon Sep 17 00:00:00 2001 From: Franco Fichtner Date: Mon, 14 Jan 2019 09:49:03 +0000 Subject: [PATCH] system: remove some fluff from OpenSSL config --- src/etc/ssl/opnsense.cnf | 89 ---------------------------------------- 1 file changed, 89 deletions(-) diff --git a/src/etc/ssl/opnsense.cnf b/src/etc/ssl/opnsense.cnf index c1ea91cf3..f49ad2329 100644 --- a/src/etc/ssl/opnsense.cnf +++ b/src/etc/ssl/opnsense.cnf @@ -170,21 +170,6 @@ unstructuredName = An optional company name basicConstraints=CA:FALSE -# Here are some examples of the usage of nsCertType. If it is omitted -# the certificate can be used for anything *except* object signing. - -# This is OK for an SSL server. -# nsCertType = server - -# For an object signing certificate this would be used. -# nsCertType = objsign - -# For normal client use this is typical -# nsCertType = client, email - -# and for everything including object signing: -# nsCertType = client, email, objsign - # This is typical in keyUsage for a client certificate. keyUsage = nonRepudiation, digitalSignature, keyEncipherment @@ -196,26 +181,6 @@ subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always extendedKeyUsage=clientAuth -# This stuff is for subjectAltName and issuerAltname. -# Import the email address. -# subjectAltName=email:copy -# An alternative to produce certificates that aren't -# deprecated according to PKIX. -# subjectAltName=email:move - -# Copy subject details -# issuerAltName=issuer:copy - -#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem -#nsBaseUrl -#nsRevocationUrl -#nsRenewalUrl -#nsCaPolicyUrl -#nsSslServerName - -# This is required for TSA certificates. -# extendedKeyUsage = critical,timeStamping - ###OPNsense:subjectAltName### [ v3_req ] @@ -245,25 +210,6 @@ authorityKeyIdentifier=keyid:always,issuer # So we do this instead. basicConstraints = CA:true -# Key usage: this is typical for a CA certificate. However since it will -# prevent it being used as an test self-signed certificate it is best -# left out by default. -# keyUsage = cRLSign, keyCertSign - -# Some might want this also -# nsCertType = sslCA, emailCA - -# Include email address in subject alt name: another PKIX recommendation -# subjectAltName=email:copy -# Copy issuer details -# issuerAltName=issuer:copy - -# DER hex encoding of an extension: beware experts only! -# obj=DER:02:03 -# Where 'obj' is a standard or added object -# You can even override a supported extension: -# basicConstraints= critical, DER:30:03:01:01:FF - ###OPNsense:subjectAltName### [ crl_ext ] @@ -282,24 +228,6 @@ authorityKeyIdentifier=keyid:always basicConstraints=CA:FALSE -# Here are some examples of the usage of nsCertType. If it is omitted -# the certificate can be used for anything *except* object signing. - -# This is OK for an SSL server. -# nsCertType = server - -# For an object signing certificate this would be used. -# nsCertType = objsign - -# For normal client use this is typical -# nsCertType = client, email - -# and for everything including object signing: -# nsCertType = client, email, objsign - -# This is typical in keyUsage for a client certificate. -# keyUsage = nonRepudiation, digitalSignature, keyEncipherment - # This will be displayed in Netscape's comment listbox. nsComment = "OpenSSL Generated Certificate" @@ -307,23 +235,6 @@ nsComment = "OpenSSL Generated Certificate" subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer -# This stuff is for subjectAltName and issuerAltname. -# Import the email address. -# subjectAltName=email:copy -# An alternative to produce certificates that aren't -# deprecated according to PKIX. -# subjectAltName=email:move - -# Copy subject details -# issuerAltName=issuer:copy - -#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem -#nsBaseUrl -#nsRevocationUrl -#nsRenewalUrl -#nsCaPolicyUrl -#nsSslServerName - # This really needs to be in place for it to be a proxy certificate. proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo