server_certificate.ext.in

来自「Perl写的CA认证程序」· IN 代码 · 共 59 行

# These extensions are added when 'ca' signs a request.

# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.

basicConstraints=critical, CA:FALSE

# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.

# For an object signing certificate this would be used.
#nsCertType = objsign

# For normal client use this is typical
nsCertType = server, objsign

# This is typical also
keyUsage = critical, digitalSignature, keyEncipherment, dataEncipherment, keyAgreement

extendedKeyUsage= serverAuth, msCodeInd, msCodeCom, msSGC, msEFS, nsSGC

# PKIX recommendations
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always

# Comment
nsComment		= $ENV::COMMENT

# Import the email address.
subjectAltName=email:copy

# Copy subject details
issuerAltName=issuer:copy

# Authority Info Access
authorityInfoAccess = OCSP;URI:http://@baseurl@/ocsp
authorityInfoAccess = caIssuers;URI:http://@baseurl@/ca/issuers.html

# CRLs
crlDistributionPoints=URI:http://@baseurl@/crl/cacrl.crl

# Policy Related
certificatePolicies=1.3.6.1.4.1.5255.1.1.1,@polsec

# Netscape (unused ?) extensions
nsCaRevocationUrl	= http://@baseurl@/crl/cacrl.crl
nsRevocationUrl		= http://@baseurl@/crl/cacrl.crl
nsRenewalUrl		= http://@baseurl@/crl/cacrl.crl

nsCaPolicyUrl="http://www.europki.org/ca/root/cps/1.1/"
#nsBaseUrl
#nsSslServerName

[polsec]
policyIdentifier=1.3.6.1.4.1.5255.1.1.1
CPS.1="http://www.europki.org/ca/root/cps/1.1/"
CPS.2="http://@baseorg@/cps/"