set the client/server certificate options with all the common keyusage

and extendedkeyusage and nscerttype flags.  the ikectl CA can now be used
with all kinds of other vpn tools in addition to iked and isakmpd.

ok phessler@

1 files changed, 6 insertions, 1 deletions

diff --git a/usr.sbin/ikectl/ikeca.cnf b/usr.sbin/ikectl/ikeca.cnf
index 321efb36f72..8a6ba77e2a0 100644
--- a/usr.sbin/ikectl/ikeca.cnf
+++ b/usr.sbin/ikectl/ikeca.cnf
@@ -1,4 +1,4 @@
-# $OpenBSD: ikeca.cnf,v 1.3 2010/10/07 09:36:33 phessler Exp $
+# $OpenBSD: ikeca.cnf,v 1.4 2010/10/08 16:15:22 reyk Exp $
 # $vantronix: ikeca.cnf,v 1.3 2010/05/31 12:26:26 reyk Exp $
 
 RANDFILE		= /dev/arandom
@@ -18,6 +18,7 @@ EXTCERTUSAGE		= serverAuth,clientAuth
 CERTIP			= 0.0.0.0
 CERTFQDN		= nohost.nodomain
 CADB			= index.txt
+NSCERTTYPE		= server,client
 
 [ req ]
 default_bits		= 2048
@@ -74,10 +75,14 @@ basicConstraints=critical,CA:true,pathlen:$ENV::CERTPATHLEN
 keyUsage=$ENV::CERTUSAGE
 
 [x509v3_IPAddr]
+keyUsage=$ENV::CERTUSAGE
+nsCertType=$ENV::NSCERTTYPE
 subjectAltName=IP:$ENV::CERTIP
 extendedKeyUsage=$ENV::EXTCERTUSAGE
 
 [x509v3_FQDN]
+keyUsage=$ENV::CERTUSAGE
+nsCertType=$ENV::NSCERTTYPE
 subjectAltName=DNS:$ENV::CERTFQDN
 extendedKeyUsage=$ENV::EXTCERTUSAGE