Index: ssl/openssl-server-org.cnf =================================================================== --- ssl/openssl-server-org.cnf (revision 2336) +++ ssl/openssl-server-org.cnf (working copy) @@ -145,12 +145,14 @@ unstructuredName = An optional company name [ usr_cert ] -basicConstraints= critical, CA:FALSE -extendedKeyUsage= clientAuth, serverAuth, nsSGC, msSGC -keyUsage = digitalSignature, keyEncipherment -authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org -crlDistributionPoints = URI:http://www.CAcert.org/revoke.crl +basicConstraints = critical, CA:FALSE +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = clientAuth, serverAuth, nsSGC, msSGC +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org +crlDistributionPoints = URI:http://crl.cacert.org/revoke.crl + + [ v3_req ] basicConstraints = CA:FALSE Index: ssl/class3s-ocsp.cnf =================================================================== --- ssl/class3s-ocsp.cnf (revision 2336) +++ ssl/class3s-ocsp.cnf (working copy) @@ -141,10 +141,12 @@ [ usr_cert ] -basicConstraints=critical,CA:FALSE -extendedKeyUsage=clientAuth,serverAuth,OCSPSigning +basicConstraints = critical, CA:FALSE +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = serverAuth, OCSPSigning, nsSGC, msSGC +# no authorityInfoAccess to avoid loops +crlDistributionPoints = URI:http://crl.cacert.org/class3s-revoke.crl -subjectAltName=email:copy [ v3_req ] Index: ssl/class3s-server.cnf =================================================================== --- ssl/class3s-server.cnf (revision 2336) +++ ssl/class3s-server.cnf (working copy) @@ -145,12 +145,14 @@ unstructuredName = An optional company name [ usr_cert ] -basicConstraints= critical, CA:FALSE -extendedKeyUsage= clientAuth, serverAuth, nsSGC, msSGC -keyUsage = digitalSignature, keyEncipherment -authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org -crlDistributionPoints = URI:http://www.CAcert.org/class3s-revoke.crl +basicConstraints = critical, CA:FALSE +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = clientAuth, serverAuth, nsSGC, msSGC +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org +crlDistributionPoints = URI:http://crl.cacert.org/class3s-revoke.crl + + [ v3_req ] basicConstraints = CA:FALSE Index: ssl/class3s-client-codesign.cnf =================================================================== --- ssl/class3s-client-codesign.cnf (revision 2336) +++ ssl/class3s-client-codesign.cnf (working copy) @@ -141,12 +141,15 @@ [ usr_cert ] -basicConstraints=critical,CA:FALSE -nsComment="To get your own certificate for FREE head over to http://www.CAcert.org" -extendedKeyUsage=emailProtection,clientAuth,codeSigning,msCodeInd,msCodeCom,msEFS,msSGC,nsSGC -authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org -subjectAltName=email:copy +basicConstraints = critical, CA:FALSE +nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org" +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = emailProtection, clientAuth, codeSigning, msCodeInd, msCodeCom, msEFS, msSGC, nsSGC +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org +crlDistributionPoints = URI:http://crl.cacert.org/class3s-revoke.crl +subjectAltName = email:copy + [ v3_req ] basicConstraints = CA:FALSE Index: ssl/class3-server-org.cnf =================================================================== --- ssl/class3-server-org.cnf (revision 2336) +++ ssl/class3-server-org.cnf (working copy) @@ -145,12 +145,14 @@ unstructuredName = An optional company name [ usr_cert ] -basicConstraints= critical, CA:FALSE -extendedKeyUsage= clientAuth, serverAuth, nsSGC, msSGC -keyUsage = digitalSignature, keyEncipherment -authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org -crlDistributionPoints = URI:http://www.CAcert.org/class3-revoke.crl +basicConstraints = critical, CA:FALSE +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = clientAuth, serverAuth, nsSGC, msSGC +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org +crlDistributionPoints = URI:http://crl.cacert.org/class3-revoke.crl + + [ v3_req ] basicConstraints = CA:FALSE Index: ssl/openssl-client-org.cnf =================================================================== --- ssl/openssl-client-org.cnf (revision 2336) +++ ssl/openssl-client-org.cnf (working copy) @@ -141,12 +141,15 @@ [ usr_cert ] -basicConstraints=critical,CA:FALSE -nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org" -extendedKeyUsage=emailProtection,clientAuth,msEFS,msSGC,nsSGC -authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org -subjectAltName=email:copy +basicConstraints = critical, CA:FALSE +nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org" +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = emailProtection, clientAuth, msEFS, msSGC, nsSGC +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org +crlDistributionPoints = URI:http://crl.cacert.org/revoke.crl +subjectAltName = email:copy + [ v3_req ] basicConstraints = CA:FALSE Index: ssl/openssl-ocsp.cnf =================================================================== --- ssl/openssl-ocsp.cnf (revision 2336) +++ ssl/openssl-ocsp.cnf (working copy) @@ -141,10 +141,12 @@ [ usr_cert ] -basicConstraints=critical,CA:FALSE -extendedKeyUsage=clientAuth,serverAuth,OCSPSigning +basicConstraints = critical, CA:FALSE +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = serverAuth, OCSPSigning, nsSGC, msSGC +# no authorityInfoAccess to avoid loops +crlDistributionPoints = URI:http://crl.cacert.org/revoke.crl -subjectAltName=email:copy [ v3_req ] Index: ssl/class3s-client.cnf =================================================================== --- ssl/class3s-client.cnf (revision 2336) +++ ssl/class3s-client.cnf (working copy) @@ -141,12 +141,15 @@ [ usr_cert ] -basicConstraints=critical,CA:FALSE -nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org" -extendedKeyUsage=emailProtection,clientAuth,msEFS,msSGC,nsSGC -authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org -subjectAltName=email:copy +basicConstraints = critical, CA:FALSE +nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org" +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = emailProtection, clientAuth, msEFS, msSGC, nsSGC +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org +crlDistributionPoints = URI:http://crl.cacert.org/class3s-revoke.crl +subjectAltName = email:copy + [ v3_req ] basicConstraints = CA:FALSE Index: ssl/openssl-server.cnf =================================================================== --- ssl/openssl-server.cnf (revision 2336) +++ ssl/openssl-server.cnf (working copy) @@ -145,12 +145,14 @@ unstructuredName = An optional company name [ usr_cert ] -basicConstraints= critical, CA:FALSE -extendedKeyUsage= clientAuth, serverAuth, nsSGC, msSGC -keyUsage = digitalSignature, keyEncipherment -authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org -crlDistributionPoints = URI:http://www.CAcert.org/revoke.crl +basicConstraints = critical, CA:FALSE +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = clientAuth, serverAuth, nsSGC, msSGC +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org +crlDistributionPoints = URI:http://crl.cacert.org/revoke.crl + + [ v3_req ] basicConstraints = CA:FALSE Index: ssl/openssl-client-codesign.cnf =================================================================== --- ssl/openssl-client-codesign.cnf (revision 2336) +++ ssl/openssl-client-codesign.cnf (working copy) @@ -141,12 +141,15 @@ [ usr_cert ] -basicConstraints=critical,CA:FALSE -nsComment="To get your own certificate for FREE head over to http://www.CAcert.org" -extendedKeyUsage=emailProtection,clientAuth,codeSigning,msCodeInd,msCodeCom,msEFS,msSGC,nsSGC -authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org -subjectAltName=email:copy +basicConstraints = critical, CA:FALSE +nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org" +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = emailProtection, clientAuth, codeSigning, msCodeInd, msCodeCom, msEFS, msSGC, nsSGC +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org +crlDistributionPoints = URI:http://crl.cacert.org/revoke.crl +subjectAltName = email:copy + [ v3_req ] basicConstraints = CA:FALSE Index: ssl/class3-client-org.cnf =================================================================== --- ssl/class3-client-org.cnf (revision 2336) +++ ssl/class3-client-org.cnf (working copy) @@ -141,12 +141,15 @@ [ usr_cert ] -basicConstraints=critical,CA:FALSE -nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org" -extendedKeyUsage=emailProtection,clientAuth,msEFS,msSGC,nsSGC -authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org -subjectAltName=email:copy +basicConstraints = critical, CA:FALSE +nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org" +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = emailProtection, clientAuth, msEFS, msSGC, nsSGC +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org +crlDistributionPoints = URI:http://crl.cacert.org/class3-revoke.crl +subjectAltName = email:copy + [ v3_req ] basicConstraints = CA:FALSE Index: ssl/class3-ocsp.cnf =================================================================== --- ssl/class3-ocsp.cnf (revision 2336) +++ ssl/class3-ocsp.cnf (working copy) @@ -141,11 +141,12 @@ [ usr_cert ] -basicConstraints=critical,CA:FALSE -extendedKeyUsage=clientAuth,serverAuth,OCSPSigning +basicConstraints = critical, CA:FALSE +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = serverAuth, OCSPSigning, nsSGC, msSGC +# no authorityInfoAccess to avoid loops +crlDistributionPoints = URI:http://crl.cacert.org/class3-revoke.crl -subjectAltName=email:copy - [ v3_req ] basicConstraints = CA:FALSE Index: ssl/class3-server.cnf =================================================================== --- ssl/class3-server.cnf (revision 2336) +++ ssl/class3-server.cnf (working copy) @@ -145,12 +145,14 @@ unstructuredName = An optional company name [ usr_cert ] -basicConstraints= critical, CA:FALSE -extendedKeyUsage= clientAuth, serverAuth, nsSGC, msSGC -keyUsage = digitalSignature, keyEncipherment -authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org -crlDistributionPoints = URI:http://www.CAcert.org/class3-revoke.crl +basicConstraints = critical, CA:FALSE +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = clientAuth, serverAuth, nsSGC, msSGC +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org +crlDistributionPoints = URI:http://crl.cacert.org/class3-revoke.crl + + [ v3_req ] basicConstraints = CA:FALSE Index: ssl/class3-client-codesign.cnf =================================================================== --- ssl/class3-client-codesign.cnf (revision 2336) +++ ssl/class3-client-codesign.cnf (working copy) @@ -141,12 +141,15 @@ [ usr_cert ] -basicConstraints=critical,CA:FALSE -nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org" -extendedKeyUsage=emailProtection,clientAuth,codeSigning,msCodeInd,msCodeCom,msEFS,msSGC,nsSGC -authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org -subjectAltName=email:copy +basicConstraints = critical, CA:FALSE +nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org" +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = emailProtection, clientAuth, codeSigning, msCodeInd, msCodeCom, msEFS, msSGC, nsSGC +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org +crlDistributionPoints = URI:http://crl.cacert.org/class3-revoke.crl +subjectAltName = email:copy + [ v3_req ] basicConstraints = CA:FALSE Index: ssl/openssl-client.cnf =================================================================== --- ssl/openssl-client.cnf (revision 2336) +++ ssl/openssl-client.cnf (working copy) @@ -141,12 +141,15 @@ [ usr_cert ] -basicConstraints=critical,CA:FALSE -nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org" -extendedKeyUsage=emailProtection,clientAuth,msEFS,msSGC,nsSGC -authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org -subjectAltName=email:copy +basicConstraints = critical, CA:FALSE +nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org" +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = emailProtection, clientAuth, msEFS, msSGC, nsSGC +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org +crlDistributionPoints = URI:http://crl.cacert.org/revoke.crl +subjectAltName = email:copy + [ v3_req ] basicConstraints = CA:FALSE Index: ssl/root3/server-org.cnf =================================================================== --- ssl/root3/server-org.cnf (revision 2336) +++ ssl/root3/server-org.cnf (working copy) @@ -145,12 +145,14 @@ unstructuredName = An optional company name [ usr_cert ] -basicConstraints= critical, CA:FALSE -extendedKeyUsage= clientAuth, serverAuth, nsSGC, msSGC -keyUsage = digitalSignature, keyEncipherment -authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org -crlDistributionPoints = URI:http://www.CAcert.org/root3.crl +basicConstraints = critical, CA:FALSE +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = clientAuth, serverAuth, nsSGC, msSGC +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org +crlDistributionPoints = URI:http://crl.cacert.org/root3.crl + + [ v3_req ] basicConstraints = CA:FALSE Index: ssl/root3/client.cnf =================================================================== --- ssl/root3/client.cnf (revision 2336) +++ ssl/root3/client.cnf (working copy) @@ -141,12 +141,15 @@ [ usr_cert ] -basicConstraints=critical,CA:FALSE -nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org" -extendedKeyUsage=emailProtection,clientAuth,msEFS,msSGC,nsSGC -authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org -subjectAltName=email:copy +basicConstraints = critical, CA:FALSE +nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org" +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = emailProtection, clientAuth, msEFS, msSGC, nsSGC +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org +crlDistributionPoints = URI:http://crl.cacert.org/root3.crl +subjectAltName = email:copy + [ v3_req ] basicConstraints = CA:FALSE Index: ssl/root3/client-org.cnf =================================================================== --- ssl/root3/client-org.cnf (revision 2336) +++ ssl/root3/client-org.cnf (working copy) @@ -141,12 +141,15 @@ [ usr_cert ] -basicConstraints=critical,CA:FALSE -nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org" -extendedKeyUsage=emailProtection,clientAuth,msEFS,msSGC,nsSGC -authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org -subjectAltName=email:copy +basicConstraints = critical, CA:FALSE +nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org" +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = emailProtection, clientAuth, msEFS, msSGC, nsSGC +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org +crlDistributionPoints = URI:http://crl.cacert.org/root3.crl +subjectAltName = email:copy + [ v3_req ] basicConstraints = CA:FALSE Index: ssl/root3/ocsp.cnf =================================================================== --- ssl/root3/ocsp.cnf (revision 2336) +++ ssl/root3/ocsp.cnf (working copy) @@ -141,10 +141,12 @@ [ usr_cert ] -basicConstraints=critical,CA:FALSE -extendedKeyUsage=clientAuth,serverAuth,OCSPSigning +basicConstraints = critical, CA:FALSE +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = serverAuth, OCSPSigning, nsSGC, msSGC +# no authorityInfoAccess to avoid loops +crlDistributionPoints = URI:http://crl.cacert.org/root3.crl -subjectAltName=email:copy [ v3_req ] Index: ssl/root3/server.cnf =================================================================== --- ssl/root3/server.cnf (revision 2336) +++ ssl/root3/server.cnf (working copy) @@ -145,12 +145,14 @@ unstructuredName = An optional company name [ usr_cert ] -basicConstraints= critical, CA:FALSE -extendedKeyUsage= clientAuth, serverAuth, nsSGC, msSGC -keyUsage = digitalSignature, keyEncipherment -authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org -crlDistributionPoints = URI:http://www.CAcert.org/root3.crl +basicConstraints = critical, CA:FALSE +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = clientAuth, serverAuth, nsSGC, msSGC +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org +crlDistributionPoints = URI:http://crl.cacert.org/root3.crl + + [ v3_req ] basicConstraints = CA:FALSE Index: ssl/root3/client-codesign.cnf =================================================================== --- ssl/root3/client-codesign.cnf (revision 2336) +++ ssl/root3/client-codesign.cnf (working copy) @@ -141,12 +141,15 @@ [ usr_cert ] -basicConstraints=critical,CA:FALSE -nsComment="To get your own certificate for FREE head over to http://www.CAcert.org" -extendedKeyUsage=emailProtection,clientAuth,codeSigning,msCodeInd,msCodeCom,msEFS,msSGC,nsSGC -authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org -subjectAltName=email:copy +basicConstraints = critical, CA:FALSE +nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org" +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = emailProtection, clientAuth, codeSigning, msCodeInd, msCodeCom, msEFS, msSGC, nsSGC +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org +crlDistributionPoints = URI:http://crl.cacert.org/root3.crl +subjectAltName = email:copy + [ v3_req ] basicConstraints = CA:FALSE Index: ssl/root4/server-org.cnf =================================================================== --- ssl/root4/server-org.cnf (revision 2336) +++ ssl/root4/server-org.cnf (working copy) @@ -145,12 +145,14 @@ unstructuredName = An optional company name [ usr_cert ] -basicConstraints= critical, CA:FALSE -extendedKeyUsage= clientAuth, serverAuth, nsSGC, msSGC -keyUsage = digitalSignature, keyEncipherment -authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org -crlDistributionPoints = URI:http://www.CAcert.org/root4.crl +basicConstraints = critical, CA:FALSE +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = clientAuth, serverAuth, nsSGC, msSGC +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org +crlDistributionPoints = URI:http://crl.cacert.org/root4.crl + + [ v3_req ] basicConstraints = CA:FALSE Index: ssl/root4/client.cnf =================================================================== --- ssl/root4/client.cnf (revision 2336) +++ ssl/root4/client.cnf (working copy) @@ -141,12 +141,15 @@ [ usr_cert ] -basicConstraints=critical,CA:FALSE -nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org" -extendedKeyUsage=emailProtection,clientAuth,msEFS,msSGC,nsSGC -authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org -subjectAltName=email:copy +basicConstraints = critical, CA:FALSE +nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org" +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = emailProtection, clientAuth, msEFS, msSGC, nsSGC +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org +crlDistributionPoints = URI:http://crl.cacert.org/root4.crl +subjectAltName = email:copy + [ v3_req ] basicConstraints = CA:FALSE Index: ssl/root4/client-org.cnf =================================================================== --- ssl/root4/client-org.cnf (revision 2336) +++ ssl/root4/client-org.cnf (working copy) @@ -141,12 +141,15 @@ [ usr_cert ] -basicConstraints=critical,CA:FALSE -nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org" -extendedKeyUsage=emailProtection,clientAuth,msEFS,msSGC,nsSGC -authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org -subjectAltName=email:copy +basicConstraints = critical, CA:FALSE +nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org" +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = emailProtection, clientAuth, msEFS, msSGC, nsSGC +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org +crlDistributionPoints = URI:http://crl.cacert.org/root4.crl +subjectAltName = email:copy + [ v3_req ] basicConstraints = CA:FALSE Index: ssl/root4/ocsp.cnf =================================================================== --- ssl/root4/ocsp.cnf (revision 2336) +++ ssl/root4/ocsp.cnf (working copy) @@ -141,10 +141,12 @@ [ usr_cert ] -basicConstraints=critical,CA:FALSE -extendedKeyUsage=clientAuth,serverAuth,OCSPSigning +basicConstraints = critical, CA:FALSE +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = serverAuth, OCSPSigning, nsSGC, msSGC +# no authorityInfoAccess to avoid loops +crlDistributionPoints = URI:http://crl.cacert.org/root4.crl -subjectAltName=email:copy [ v3_req ] Index: ssl/root4/server.cnf =================================================================== --- ssl/root4/server.cnf (revision 2336) +++ ssl/root4/server.cnf (working copy) @@ -145,12 +145,14 @@ unstructuredName = An optional company name [ usr_cert ] -basicConstraints= critical, CA:FALSE -extendedKeyUsage= clientAuth, serverAuth, nsSGC, msSGC -keyUsage = digitalSignature, keyEncipherment -authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org -crlDistributionPoints = URI:http://www.CAcert.org/root4.crl +basicConstraints = critical, CA:FALSE +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = clientAuth, serverAuth, nsSGC, msSGC +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org +crlDistributionPoints = URI:http://crl.cacert.org/root4.crl + + [ v3_req ] basicConstraints = CA:FALSE Index: ssl/root4/client-codesign.cnf =================================================================== --- ssl/root4/client-codesign.cnf (revision 2336) +++ ssl/root4/client-codesign.cnf (working copy) @@ -141,12 +141,15 @@ [ usr_cert ] -basicConstraints=critical,CA:FALSE -nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org" -extendedKeyUsage=emailProtection,clientAuth,codeSigning,msCodeInd,msCodeCom,msEFS,msSGC,nsSGC -authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org -subjectAltName=email:copy +basicConstraints = critical, CA:FALSE +nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org" +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = emailProtection, clientAuth, codeSigning, msCodeInd, msCodeCom, msEFS, msSGC, nsSGC +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org +crlDistributionPoints = URI:http://crl.cacert.org/root4.crl +subjectAltName = email:copy + [ v3_req ] basicConstraints = CA:FALSE Index: ssl/class3s-server-org.cnf =================================================================== --- ssl/class3s-server-org.cnf (revision 2336) +++ ssl/class3s-server-org.cnf (working copy) @@ -145,12 +145,14 @@ unstructuredName = An optional company name [ usr_cert ] -basicConstraints= critical, CA:FALSE -extendedKeyUsage= clientAuth, serverAuth, nsSGC, msSGC -keyUsage = digitalSignature, keyEncipherment -crlDistributionPoints = URI:http://www.CAcert.org/class3s-revoke.crl +basicConstraints = critical, CA:FALSE +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = clientAuth, serverAuth, nsSGC, msSGC +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org +crlDistributionPoints = URI:http://crl.cacert.org/class3s-revoke.crl + [ v3_req ] basicConstraints = CA:FALSE Index: ssl/class3-client.cnf =================================================================== --- ssl/class3-client.cnf (revision 2336) +++ ssl/class3-client.cnf (working copy) @@ -141,12 +141,15 @@ [ usr_cert ] -basicConstraints=critical,CA:FALSE -nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org" -extendedKeyUsage=emailProtection,clientAuth,msEFS,msSGC,nsSGC -authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org -subjectAltName=email:copy +basicConstraints = critical, CA:FALSE +nsComment = "To get your own certificate for FREE head over to http://www.CAcert.org" +keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = emailProtection, clientAuth, msEFS, msSGC, nsSGC +authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org +crlDistributionPoints = URI:http://crl.cacert.org/class3-revoke.crl +subjectAltName = email:copy + [ v3_req ] basicConstraints = CA:FALSE