我对 SSL 的了解非常基础,我需要为本地服务器 [ ] 生成自签名 SSL 证书,server.local以便可以在移动应用程序中使用它进行 SSL 固定。
如何通过以下方式创建遵循 Apple 制定的规则的自签名证书openssl x509?
- 所有 TLS 服务器证书都必须符合 iOS 13 和 macOS 10.15 中的这些新安全要求;违反这些新要求的 TLS 服务器连接将失败,并可能会导致网络故障、应用程序失败以及网站无法在 Safari 中加载:
- 使用 RSA 密钥的证书和颁发 CA 必须使用 ≥2048 位的密钥大小;<2048 位的 RSA 密钥大小不再受信任
- 证书和颁发 CA 必须在签名算法中使用 SHA2 系列中的哈希算法;SHA1 签名证书不再受 TLS 信任
SubjectAltName证书必须在证书扩展中显示服务器的 DNS 名称;CommonName证书中的 DNS 名称不再受信任- 2019 年 7 月 1 日之后颁发的证书(如证书的 NotBefore 字段所示)必须遵循以下准则:
- 证书必须包含包含OID 的
extendedKeyUsage(EKU) 扩展id-kp-serverAuth - 证书的有效期必须≤825天,以证书的NotBefore和NotAfter字段表示。
- 证书必须包含包含OID 的
我通过以下方式创建了证书:
openssl genrsa -des3 -out myCA.key 2048
openssl req -x509 -new -nodes -key myCA.key -sha256 -days 825 -out myCA.pem
在服务器和设备上安装后,当我尝试在 iOS 内部使用它时,出现错误:
SSL hostname does not match name(s) in certificate,
Extended key usage does not match certificate usage, Root is not trusted`
答案1
自签名证书应该绝不被使用,因为它们没有信任链因此不安全且毫无意义;推荐的方法是创建一个自签名 CA,并使用该 CA 通过 签署证书openssl.cnf,例如风俗一。
- 这
commonName[CN]不能是 IP 或 DNS 名称,因为这样做不安全;我始终建议使用来CN命名证书(例如Apache Web Server X,VPN Server 1等) - SAN [
SubjectAltName] 配置文件可以包含:email:电子邮件地址URI:统一资源标识符DNS:DNS 域名 [本地或 FQDN]ID:注册ID:对象标识符[对象标识符]IP:IP地址dirName:专有名称otherName:OID;content[与 OID 关联的任意数据]
(含量值以标准为准ASN1_generate_nconf格式)
执行包含以下内容的目录中的所有命令openssl.cnf:
- 下载自定义
openssl.cnf:(Linux/视窗)# Linux: wget https://raw.githubusercontent.com/JW0914/Wikis/master/Scripts%2BConfigs/OpenSSL/Linux/openssl.cnf # Windows: wget https://raw.githubusercontent.com/JW0914/Wikis/master/Scripts%2BConfigs/OpenSSL/openssl.cnf
- 编辑要创建的证书的 SAN 配置文件: (第 151 至 244 行)
- 加州:编辑第 170 行 [
Router.1] 以命名您的 CA[ alt_ca_main ] DNS.1 = Router.1 IP.1 = 127.0.0.1[ alt_ca_main ]alt_:指定 SAN 配置文件ca_main:SAN 配置文件的自定义名称
(如果重命名:更新 CA V3 配置文件第 264 行 [@alt_ca_main])DNS.1:
命名 CA,以便于管理多个 CA/ICAIP.1:
某些路由器操作系统要求在主 CA 中指定环回 IP
- 客户端/服务器证书:编辑第 189 - 193 行
[ alt_sophos ] IP.1 = 192.168.2.1 IP.2 = 127.0.0.1 DNS.1 = UTM.WRT DNS.2 = your.ddns.com[ alt_sophos ]:
SAN 配置文件名称;sophos仅当希望重命名时才更改
(如果重命名:更新 V3 剖面线 331 [v3_sophos] 和 337 [@alt_sophos])IP.1:
服务器 IP(如果可以通过 SSH 访问,则必须指定环回 IP [IP.2])
(按时间顺序在新行上列出其他 IP;例如IP.3)DNS.1:LocalHostname.LocalDomainDNS.2:
动态域名/FQDN
(按时间顺序列出新行中的其他名称;例如DNS.3)
- 加州:编辑第 170 行 [
- 创建先决条件文件和目录: (第 436 至 455 行)
mkdir crl; echo 01 > crl\crlnumber; echo > index; echo > rand; echo 00 > serialcrlnumber:
下一个 CRL [证书吊销列表] 的序列号已签名(第 443 至 446 行)index:
所有已创建证书的列表(第 448 - 451 行和第 642 - 686 行)openssl ca必须用来index自动维护,我不会介绍,因为它使过程过于复杂(手动维护:642 - 686 行)
rand:
用于证书/密钥创建的随机字符(第 453 至 455 行)serial:
最后一个签名证书的序列号[十六进制],可以是任意数字(第 438 - 441 行和第 671 - 681 行)
- 创建 CA:
大多数可以忽略,因为绝大多数人使用 RSA 都没问题:# CA key should have a secure passphrase of at least 20 characters, containing: # 2 uppercase, 2 lowercase, 2 numbers, and 2 symbols # Request: openssl req -x509 -new -sha512 -days 3650 -newkey rsa:4096 -keyout 'CA.key.pem' -out 'CA.crt.pem' -config '.\openssl.cnf' -extensions v3_ca # Generate CA CRL Cert: openssl ca -gencrl -keyfile 'CA.key.pem' -cert 'CA.crt.pem' -out 'CA.crl.pem' -config '.\openssl.cnf' # Convert CA CRL Cert to DER CRL: openssl crl -inform PEM -in '.\CA.crl.pem' -outform DER -out '.\CA.crl'
所选密钥的类型决定了可以使用的密钥交换算法 [下文]- 必须确保 CA V3 配置文件的 KU 不被更改(第 260 至 265 行)
- 必须确保 CA V3 配置文件的 KU 不被更改(第 260 至 265 行)
- (选修的) 创建 ICA [中级 CA]:
如果需要多个 CA 来降低任何一个 CA 被入侵的风险,则很有用
大多数可以忽略,因为绝大多数人使用 RSA 都没问题:# ICA key should have a secure passphrase of at least 20 characters, containing: # 2 uppercase, 2 lowercase, 2 numbers, and 2 symbols # Request: openssl req -out '.\ICA.csr' -new -days 3650 -sha512 -newkey rsa:4096 -keyout 'ICA.key.pem' -config '.\openssl.cnf' -extensions v3_ica_router2 # Sign ICA with CA: openssl x509 -req -sha512 -days 3650 -in '.\ICA.csr' -CA 'CA.crt.pem' -CAkey 'CA.key.pem' -CAserial '.\serial' -out 'ICA.crt.pem' -extfile '.\openssl.cnf' -extensions v3_ica_router2 # Generate ICA CRL Cert: openssl ca -config '.\openssl.cnf' -gencrl -keyfile 'ICA.key.pem' -cert 'ICA.crt.pem' -out '.\ICA.crl.pem' # Convert ICA CRL Cert to DER CRL: openssl crl -inform PEM -in '.\ICA.crl.pem' -outform DER -out '.\ICA.crl' # Concatenate ICA and CA Cert: # Linux: cat './ICA.crt.pem' './CA.crt.pem' > './CA-ICA-Chain.crt.pem' # Windows: cmd /c type '.\ICA.crt.pem' '.\CA.crt.pem' > '.\CA-ICA-Chain.crt.pem'
所选密钥的类型决定了可以使用的密钥交换算法 [下文]- 必须确保 ICA V3 配置文件的 KU 不被更改 (第 267 至 279 行)
- ICA V3 配置文件 contian
pathlen:0(它们可以签署证书,但不能签署 CA/ICA);如果pathlen未指定/设置数字,它可以签署无限/指定数量的 CA/ICA
- 创建证书: (如果 V3 配置文件在 2.2 中重命名,请在此处更新)
大多数可以忽略,因为绝大多数人使用 RSA 都没问题:# Server certs: add -nodes to the end of the Request command; else server requires # manually entering encryption passphrase when starting (impractical) # Request: openssl req -out '.\server.csr' -new -days 825 -sha512 -newkey rsa:2048 -keyout '.\server.key.pem' -config '.\openssl.cnf' -extensions v3_sophos -nodes # Sign: # CA only: openssl x509 -req -sha512 -days 825 -in '.\server.csr' -CA '.\CA.crt.pem' -CAkey '.\CA.key.pem' -CAserial '.\serial' -out '.\server.crt.pem' -extfile '.\openssl.cnf' -extensions v3_sophos # ICA: (change to) -CA '.\CA-ICA-Chain.crt.pem' -CAkey '.\ICA.key.pem' # Chain of Trust: Concatenate CA or ICA and CA to Cert: # For ICA, change CA.crt.pem to CA-ICA-Chain.crt.pem # Linux: cat './CA.crt.pem' >> './server.crt.pem' # Windows: cmd /c type './CA.crt.pem' >> './server.crt.pem' # (Optional) Export: # CA only: openssl pkcs12 -export -out '.\server.p12' -inkey '.\server.key.pem' -in '.\server.crt.pem' -certfile 'CA.crt.pem' # ICA: (change to) -certfile 'CA-ICA-Chain.crt.pem' # CA - ICA chain cert must be exported to maintain the Chain of Trust of: Cert → ICA → CA
所选密钥的类型决定了可以使用的密钥交换算法 [下文]
参考:
证书验证:
- 证书:
openssl x509 -text -noout -in 'cert.crt.pem' - 证书签名请求[CSR]:
openssl req -text -noout -verify -in 'cert.csr' - 钥匙:
openssl rsa -check -in 'cert.key.pem' - PKCS12 [
.pfx/.p12]:openssl pkcs12 -info -in 'cert.p12'
十六进制 ⟷ 十进制转换:
- Linux:
# hex → dec: (returns 10) printf '%d\n' 0x0a # dec → hex: (returns 0a) printf '%x\n' 10 - 视窗:
计算器具有程序员模式
index:
-
# Manually maintain the index file by inputting one cert entry per line in the following format: # 1 2-----------> 3-> 4> 5-----> 6----------------------------------------------------------------------------> V 261231235959Z 0a unknown /C=US/ST=State/L=Locality/O=Org/OU=Unit/CN=Common Name/[email protected] # 1 Status of Certificate: V # Valid R # Revoked E # Expired # 2 Expiration Date: YYMMDDHHMMSSZ # Date format followed by 'Z' (2026.12.31 @ 23:59:59) # 3 Revocation Date: (empty if not revoked) YYMMDDHHMMSSZ,reason # Valid reasons are: ## keyCompromise ## CACompromise ## affiliationChanged ## superseded ## cessationOfOperation ## certificateHold ## privilegeWithdrawn ## AACompromise # Certain distros error out without a whitespace for 3 # 4 Serial number in hex format: 0a # hex for 10 # 5 Certificate Filename or Literal String unknown # Certificate filename or literal string 'unknown' # 6 Distinguished Name
密钥交换算法:
RSA:
通过服务器公钥加密客户端选择的随机值- 必需的:
服务器公钥必须是 RSA 密钥
服务器证书必须具有 KUkeyAgreement
- 必需的:
DH_RSA:
密钥交换通过静态 Diffie-Hellman 密钥进行- 必需的:
CA 必须使用 RSA 签名密钥
服务器公钥必须是 Diffie-Hellman 密钥
Diffie-Hellman 密钥必须由 CA 颁发
- 必需的:
DH_DSA:
类似DH_RSA,但 CA 使用 DSA 密钥代替 RSADHE_RSA:
密钥交换通过 Ephemeral Diffie-Hellman 进行- 服务器动态生成并签名 DH 公钥,并将其发送给客户端
- 必需的:
服务器公钥必须是 RSA 密钥
服务器证书必须具有 KUdigitalSignature
DHE_DSA:
类似DHE_RSA,但 CA 使用 DSA 密钥代替 RSA
椭圆曲线密钥交换算法:
ECDH_RSA:
类似DH_RSA,但采用椭圆曲线- 必需的:
服务器公钥必须是 ECDH 密钥
服务器证书必须由 CA 使用 RSA 公钥颁发
- 必需的:
ECDH_ECDSA:
类似ECDH_RSA,但 CA 使用的是 ECDSA 密钥ECDHE_RSA:服务器发送动态生成的 EC Diffie-Hellman 密钥,并通过其 RSA 密钥对其进行签名- 服务器公钥对 Ephemeral EC Diffie-Hellman 密钥进行签名
- 服务器公钥对 Ephemeral EC Diffie-Hellman 密钥进行签名
ECDHE_ECDSA:
类似ECDHE_RSA,但服务器公钥是 ECDSA 密钥- 相当于
DHE_DSS,但 Diffie-Hellman 和 签名均采用椭圆曲线
- 相当于
KU 和 EKU:
手册页:
openssl.cnf
虽然我的 GitHub 将始终维护openssl.cnf整个过程中的自定义链接,但由于此答案依赖于此,因此提供了 Linux 版本以实现冗余:
(由于 30K 字符的限制,无法包含 Windows 版本)
#
##::[[--- Linux OpenSSL Config ---]]::##
#====================================================================
##----- Notes -----##
#====================================================================
# All commands required can be found beginning on line 430
# Windows users, either:
# Change file paths from "/" to "\\"
# Download the Windows openssl.cnf: https://github.com/JW0914/Wikis/blob/master/Scripts+Configs/OpenSSL/openssl.cnf
# Sophos users:
# If not using SANs, prior to generating user certs, ensure 'x509_extensions = usr_cert_not_dn'
# This results with 'RFC822 Name = [email protected]' in the SubjectAlternativeName of the certificate.
# Without this, it will be impossible to authenticate to VPNs on Sophos.
# Intermediate CAs & Intermediate CA client certs CANNOT be utilized on Sophos UTM due to how Sophos authenticates.
# Only exception is the WebAdmin certificate, which can be signed by a Public ICA authority for a FQDN.
# For chain of trust to be maintained, CA & ICA must be installed on devices accessing the WebAdmin/User Portal.
#====================================================================
##----- Establish Build Variables -----##
#====================================================================
dir = /etc/ssl
cnf = /etc/ssl/openssl.cnf
CNF = $dir/openssl.cnf
#====================================================================
##----- Establish CA Profile and Policy -----##
#====================================================================
[ default ]
UTM = "Sophos UTM CA"
WRT = "Router 2 ICA"
VPN = "Router 2 VPN ICA"
[ ca ]
default_ca = CA_default
#====================================================================
[ CA_default ]
certs = $dir
new_certs_dir = $dir
database = $dir/index
RANDFILE = $dir/rand
serial = $dir/serial
crldir = $dir/crl
crlnumber = $crldir/crlnumber
crl = $crldir/ca.crl.pem
default_crl_days = 3650
certificate = "$dir/ca/$UTM.crt.pem"
private_key = "$dir/ca/$UTM.key.pem"
default_days = 3650
preserve = no
default_md = sha512
x509_extensions = usr_cert_not_dn
copy_extensions = copy
unique_subject = yes
policy = policy_match
name_opt = esc_2253,esc_ctrl,esc_msb,sep_comma_plus_space,ignore_type
cert_opt = ca_default
#====================================================================
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = match
commonName = supplied
emailAddress = optional
[ policy_supply ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = match
commonName = optional
emailAddress = optional
#====================================================================
##----- Establish Certificate Options -----#
#--------------------------------------------------------------------
# x64 machines always process SHA512 faster than SHA256.
# 'encrypt_key = yes' is not currently commented out.
# When creating a key for a server, add '-nodes' to the Request command.
[ req ]
default_bits = 2048
default_keyfile = private.key.pem
preserve = no
default_md = sha512
string_mask = utf8only
utf8 = yes
distinguished_name = req_distinguished_name
attributes = req_attributes
req_extensions = v3_req
x509_extensions = v3_ca
copy_extensions = copy
encrypt_key = yes
[ req_attributes ]
challengePassword =
challengePassword_min = 12
challengePassword_max = 40
#====================================================================
[ req_distinguished_name ]
countryName = Country
countryName_max = 2
stateOrProvinceName = State
localityName = Locality
0.organizationName = Organization
organizationalUnitName = Organizational Unit
commonName = Common Name
commonName_max = 64
emailAddres = Email
emailAddress_max = 64
countryName_default = xx
stateOrProvinceName_default = State
localityName_default = Locality
0.organizationName_default = Sophos UTM
organizationalUnitName_default = LAN
#====================================================================
##----- Establish SubjectAltName (SAN) Profiles -----##
#====================================================================
# All server certs with WebUIs should have their loopback IP specified in their SAN profile.
# This prevents certificate errors if connecting to the device, router, or server via an SSH tunnel.
# Certain OS CA certs must have the loopback IP specified in SAN profile (i.e. Sophos UTM's CA).
# Provided SAN profiles are utilized, Common Names can be whatever one wishes (i.e. not the DNS or IP)
# SANs can be: 'email' (email address), 'URI' (Uniform Resource Indicator), 'DNS' (DNS domain name),
# 'RID' (Registered ID: OBJECT IDENTIFIER), 'IP' (IP address), 'dirName' (Distinguished Name), and 'otherName'.
#--------------------------------------------------------------------
##----- Certificate Authorities -----##
#--------------------------------------------------------------------
# Main #
[ alt_ca_main ]
DNS.1 = Router.1
IP.1 = 127.0.0.1
# Router 2 #
[ alt_ica_router2 ]
DNS.1 = Router.2
IP.1 = 127.0.0.1
# Code Signing #
[ alt_signing_ica ]
DNS.1 = Code-Signing
#--------------------------------------------------------------------
##----- Certificate Authority Clients -----##
#--------------------------------------------------------------------
# Main #
# Servers #
[ alt_sophos ]
IP.1 = 192.168.2.1
IP.2 = 127.0.0.1
DNS.1 = UTM.WRT
DNS.2 = your.ddns.com
[ alt_freenas ]
IP.1 = 192.168.2.13
IP.2 = 192.168.2.130
IP.3 = 127.0.0.1
DNS.1 = FreeNAS.WRT
DNS.2 = your-fqdn.com
[ alt_vpn_server1 ]
IP.1 = 10.0.0.1
DNS.1 = your.ddns.com
# Clients #
[ alt_vpn1_user1 ]
email.1 = [email protected]
DNS.1 = VPN1-Client1-Device1
DNS.2 = VPN1-Client1-Device2
#--------------------------------------------------------------------
##----- Intermediate Certificate Authority Clients -----##
#--------------------------------------------------------------------
# Router 2 #
# Servers #
[ alt_openwrt ]
IP.1 = 192.168.2.2
IP.2 = 127.0.0.1
DNS.1 = LAN.WRT
[ alt_vpn_server2 ]
IP.1 = 10.0.1.1
DNS.1 = your.ddns.com
# Clients #
[ alt_vpn2_user1 ]
DNS.1 = VPN2-Client1-Device1
email.1 = [email protected]
[ alt_vpn2_user2 ]
DNS.1 = VPN2-Client2-Device1
DNS.2 = VPN2-Client2-Device2
email.1 = [email protected]
# Code Signing #
# Cert1 #
[ alt_codesign ]
email.1 = [email protected]
#====================================================================
##----- Establish Certificate Authority V3 Profiles -----##
#--------------------------------------------------------------------
# These V3 CA profiles must not be modified to contain any more, or any less, KUs.
# These have been configured specifically for security & its imperative no other keyUsages are set
# For an ICA to be capable of signing CAs/ICAs, 'pathlen' number must mirror number of CAs/ICAs it can sign
# By default, all ICAs 'pathlen' values are set to 0, meaning they can sign certs, but not other CAs/ICAs.
# If 'pathlen' is not specified, CA/ICA can sign an infinite number of other CAs/ICAs.
[ v3_ca ]
basicConstraints = critical, CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
subjectAltName = @alt_ca_main
keyUsage = critical, cRLSign, digitalSignature, keyCertSign
[ v3_ica_router2 ]
basicConstraints = critical, CA:TRUE, pathlen:0
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
subjectAltName = @alt_ica_router2
keyUsage = critical, cRLSign, digitalSignature, keyCertSign
[ v3_signing_ica ]
basicConstraints = critical, CA:TRUE, pathlen:0
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
keyUsage = critical, cRLSign, digitalSignature, keyCertSign
subjectAltName = @alt_signing_ica
[ crl_ext ]
issuerAltName = issuer:copy
authorityKeyIdentifier = keyid:always, issuer:always
#====================================================================
##----- Establish Generalized V3 Certificate Profiles -----##
#--------------------------------------------------------------------
[ v3_req ]
basicConstraints = critical, CA:FALSE
subjectKeyIdentifier = hash
[ usr_cert_dn ]
basicConstraints = critical, CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = critical, clientAuth, emailProtection
[ usr_cert_not_dn ]
basicConstraints = critical, CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
subjectAltName = email:copy
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = critical, clientAuth, emailProtection
#====================================================================
##----- Establish Client Certificate V3 Profiles -----##
#--------------------------------------------------------------------
# These V3 profiles should not be modified to contain less than what they are currently configured with.
# These have been specifically configured with security in mind.
# All servers capable of TLS should contain all keyUsages, except for 'dataEncipherment'
# VPN and file servers should not have less than: 'digitalSignature, keyEncipherment, keyAgreement'
# All servers must contain EKU 'serverAuth'
# All server [VPN] clients must contain EKU 'clientAuth'
#--------------------------------------------------------------------
##----- Certificate Authority Clients -----##
#--------------------------------------------------------------------
# Main #
# Servers #
[ v3_sophos ]
basicConstraints = critical, CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage = critical, serverAuth
subjectAltName = @alt_sophos
[ v3_freenas ]
basicConstraints = critical, CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage = critical, serverAuth
subjectAltName = @alt_freenas
[ v3_vpn_server1 ]
basicConstraints = critical, CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage = critical, serverAuth
subjectAltName = @alt_vpn_server1
# Clients #
[ v3_vpn1_user1 ]
basicConstraints = critical,CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = critical, clientAuth
subjectAltName = @alt_vpn1_user1
#--------------------------------------------------------------------
##----- Intermediate Certificate Authority Clients -----##
#--------------------------------------------------------------------
# Router 2 #
# Servers #
[ v3_openwrt ]
basicConstraints = critical, CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage = critical, serverAuth
subjectAltName = @alt_openwrt
[ v3_vpn_server2 ]
basicConstraints = critical, CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage = critical, serverAuth
subjectAltName = @alt_vpn_server2
# Clients #
[ v3_vpn2_user1 ]
basicConstraints = critical,CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = critical, clientAuth
subjectAltName = @alt_vpn2_user1
[ v3_vpn2_user2 ]
basicConstraints = critical,CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = critical, clientAuth
subjectAltName = @alt_vpn2_user2
# Code Signing #
# Certificates #
[ v3_codesign ]
basicConstraints = critical, CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
keyUsage = critical, nonRepudiation, digitalSignature
extendedKeyUsage = critical, codeSigning, msCodeInd, msCodeCom, msCTLSign, timeStamping
subjectAltName = @alt_codesign