and in it add a line
nsCertType=server
and when signing a request, add to command line -extensions server
(at least that appears, what easyrsa script was doing)
Easyrsa script also added a comment and from some other section made that cert an end entity (incapable of being a CA), but these soes not seems to be critical.
Citējot Gaglia <san...@paranoici.org>:
Hi,______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
I'm setting up an OpenVPN client-server using OpenSSL 1.0.0 for cert
generation.
How do I set the nsCertType attribute to "server" in the server cert? I
mean, without using automated scripts like easy-rsa.
This is what I'm doing:
openssl genrsa -out serverkey.pem 4096
cd ..
openssl req -new -keyserverkey.pem -config $MYCONFDIR/openssl.cnf -subj
'/CN=myservername' -days 36500 -sha512 -out req.pem
openssl ca -config $MYCONFDIR/openssl.cnf -policy policy_anything -out
servercert.pem -md sha512 -cert cacert.pem -keyfile private/cakey.pem
-infiles req.pem
