summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichael Tänzer <neo@nhng.de>2012-07-25 02:28:17 +0200
committerMichael Tänzer <neo@nhng.de>2012-07-25 02:28:17 +0200
commit099af6d876b0d68f1d7e92e77c135152c33d2d89 (patch)
treedc9acec8f8b04016cb8da95e75aa88de1c2f926b
parentfd4fbe21e9ef63c555469b595f7748fadfb977f4 (diff)
parent29860eadb308d1316c62a695daa91d6f24eb6063 (diff)
downloadcacert-devel-099af6d876b0d68f1d7e92e77c135152c33d2d89.tar.gz
cacert-devel-099af6d876b0d68f1d7e92e77c135152c33d2d89.tar.xz
cacert-devel-099af6d876b0d68f1d7e92e77c135152c33d2d89.zip
Merge branch 'bug-540' into release
Diffstat
-rwxr-xr-xCommModule/server.pl21
-rw-r--r--www/policy/CertificationPracticeStatement.php70
2 files changed, 53 insertions, 38 deletions
diff --git a/CommModule/server.pl b/CommModule/server.pl
index eb5113a..c70bc9a 100755
--- a/CommModule/server.pl
+++ b/CommModule/server.pl
@@ -502,9 +502,28 @@ sub SignX509($$$$$$$$)
{
open OUT,">$wid/extfile";
print OUT "basicConstraints = critical, CA:FALSE\n";
+ print OUT "keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement\n";
print OUT "extendedKeyUsage = clientAuth, serverAuth, nsSGC, msSGC\n";
- print OUT "keyUsage = digitalSignature, keyEncipherment\n";
print OUT "authorityInfoAccess = OCSP;URI:$OCSPUrl\n";
+
+ my $CRLUrl="";
+ if($root==0)
+ {
+ $CRLUrl="http://crl.cacert.org/revoke.crl";
+ }
+ elsif($root==1)
+ {
+ $CRLUrl="http://crl.cacert.org/class3-revoke.crl";
+ }
+ elsif($root==2)
+ {
+ $CRLUrl="http://crl.cacert.org/class3s-revoke.crl";
+ }
+ else
+ {
+ $CRLUrl="http://crl.cacert.org/root${root}.crl";
+ }
+ print OUT "crlDistributionPoints = URI:${CRLUrl}\n";
print OUT "subjectAltName = $san\n" if(length($san));
close OUT;
$extfile=" -extfile $wid/extfile ";
diff --git a/www/policy/CertificationPracticeStatement.php b/www/policy/CertificationPracticeStatement.php
index e17056b..2a9bd11 100644
--- a/www/policy/CertificationPracticeStatement.php
+++ b/www/policy/CertificationPracticeStatement.php
@@ -3203,54 +3203,50 @@ The form of the PGP signatures depends on several factors, therefore no stipulat
<h4><a name="p7.1.2" id="p7.1.2">7.1.2. Certificate extensions</a></h4>
<p>
-Client certificates include the following extensions:.
+ Client certificates include the following extensions:
</p>
-<ul><li>
- basicConstraints=CA:FALSE (critical)
- </li><li>
- keyUsage=digitalSignature,keyEncipherment,cRLSign
- </li><li>
- </li><li>
- extendedKeyUsage=emailProtection,clientAuth,serverAuth,msEFS,msSGC,nsSGC
- </li><li>
- authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
- </li><li>
- subjectAltName=(as per <a href="#p3.1.1">&sect;3.1.1.</a>).
-</li></ul>
+<ul>
+ <li>basicConstraints=CA:FALSE (critical)</li>
+ <li>keyUsage=digitalSignature,keyEncipherment,keyAgreement (critical)</li>
+ <li>extendedKeyUsage=emailProtection,clientAuth,msEFS,msSGC,nsSGC</li>
+ <li>authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org</li>
+ <li>crlDistributionPoints=URI:&lt;crlUri&gt; where &lt;crlUri&gt; is replaced
+ with the URI where the certificate revocation list relating to the
+ certificate is found</li>
+ <li>subjectAltName=(as per <a href="#p3.1.1">&sect;3.1.1.</a>).</li>
+</ul>
<ul class="q">
<li> what about Client Certificates Adobe Signing extensions ?</li>
<li> SubjectAltName should become critical if DN is removed http://tools.ietf.org/html/rfc5280#section-4.2.1.6</li>
</ul>
-
<p>
-Server certificates include the following extensions:
+ Server certificates include the following extensions:
</p>
-<ul><li>
- basicConstraints=CA:FALSE (critical)
- </li><li>
- keyUsage=digitalSignature,keyEncipherment
- </li><li>
- extendedKeyUsage=clientAuth,serverAuth,nsSGC,msSGC
- </li><li>
- authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
- </li><li>
- subjectAltName=(as per <a href="#p3.1.1">&sect;3.1.1.</a>).
-</li></ul>
+<ul>
+ <li>basicConstraints=CA:FALSE (critical)</li>
+ <li>keyUsage=digitalSignature,keyEncipherment,keyAgreement (critical)</li>
+ <li>extendedKeyUsage=clientAuth,serverAuth,nsSGC,msSGC</li>
+ <li>authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org</li>
+ <li>crlDistributionPoints=URI:&lt;crlUri&gt; where &lt;crlUri&gt; is replaced
+ with the URI where the certificate revocation list relating to the
+ certificate is found</li>
+ <li>subjectAltName=(as per <a href="#p3.1.1">&sect;3.1.1.</a>).</li>
+</ul>
<p>
-Code-Signing certificates include the following extensions:
+ Code-Signing certificates include the following extensions:
</p>
-
-<ul><li>
- basicConstraints=CA:FALSE (critical)
- </li><li>
- keyUsage=digitalSignature,keyEncipherment
- </li><li>
- extendedKeyUsage=emailProtection,clientAuth,codeSigning,msCodeInd,msCodeCom,msEFS,msSGC,nsSGC
- </li><li>
- authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org
-</li></ul>
+<ul>
+ <li>basicConstraints=CA:FALSE (critical)</li>
+ <li>keyUsage=digitalSignature,keyEncipherment,keyAgreement (critical)</li>
+ <li>extendedKeyUsage=emailProtection,clientAuth,codeSigning,msCodeInd,msCodeCom,msEFS,msSGC,nsSGC</li>
+ <li>authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org</li>
+ <li>crlDistributionPoints=URI:&lt;crlUri&gt; where &lt;crlUri&gt; is replaced
+ with the URI where the certificate revocation list relating to the
+ certificate is found</li>
+ <li>subjectAltName=(as per <a href="#p3.1.1">&sect;3.1.1.</a>).</li>
+</ul>
<ul class="q">
<li> what about subjectAltName for Code-signing</li>
</ul>
generated by cgit v1.2.1 (git 2.18.0) at 2023-03-24 16:51:46 +0000