From faf71c7e70bfdea7b39e597d72065282f5fa7497 Mon Sep 17 00:00:00 2001
From: vnxme <46669194+vnxme@users.noreply.github.com>
Date: Tue, 10 Mar 2020 11:48:53 +0300
Subject: [PATCH] Fix nsComment inconsistency in OpenSSL config (#3955)

Read more about the Netscape extensions status:

https://www.openssl.org/docs/man1.0.2/man5/x509v3_config.html
---
 src/etc/ssl/opnsense.cnf | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/src/etc/ssl/opnsense.cnf b/src/etc/ssl/opnsense.cnf
index 1857ba322..5aaccb867 100644
--- a/src/etc/ssl/opnsense.cnf
+++ b/src/etc/ssl/opnsense.cnf
@@ -174,7 +174,7 @@ basicConstraints=CA:FALSE
 keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 
 # This will be displayed in Netscape's comment listbox.
-nsComment			= "OpenSSL Generated Certificate"
+nsComment			= "OPNsense Generated Client Certificate"
 
 # PKIX recommendations harmless if included in all certificates.
 subjectKeyIdentifier=hash
@@ -197,6 +197,8 @@ keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 
 # Extensions for a typical CA
 
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OPNsense Generated Certificate Authority"
 
 # PKIX recommendation.
 
@@ -220,6 +222,9 @@ basicConstraints = CA:true
 # issuerAltName=issuer:copy
 authorityKeyIdentifier=keyid:always
 
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OPNsense Generated Certificate Revocation List"
+
 [ proxy_cert_ext ]
 # These extensions should be added when creating a proxy certificate
 
@@ -229,7 +234,7 @@ authorityKeyIdentifier=keyid:always
 basicConstraints=CA:FALSE
 
 # This will be displayed in Netscape's comment listbox.
-nsComment			= "OpenSSL Generated Certificate"
+nsComment			= "OPNsense Generated Proxy Certificate"
 
 # PKIX recommendations harmless if included in all certificates.
 subjectKeyIdentifier=hash
@@ -273,7 +278,7 @@ ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
 # Make a cert with nsCertType=server
 basicConstraints=CA:FALSE
 nsCertType			= server
-nsComment			= "OpenSSL Generated Server Certificate"
+nsComment			= "OPNsense Generated Server Certificate"
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid,issuer:always
 extendedKeyUsage=serverAuth,1.3.6.1.5.5.8.2.2
@@ -295,7 +300,7 @@ keyUsage               = nonRepudiation, digitalSignature, keyEncipherment
 
 [ sign_csr ]
 
-nsComment              = "OPNsense Generated Certificate"
+nsComment              = "OPNsense Generated Certificate Signing Request"
 subjectKeyIdentifier   = hash
 authorityKeyIdentifier = keyid,issuer:always