From f740315ef25ce2d613baee6c4b3b04fe289da995 Mon Sep 17 00:00:00 2001
From: jbjohnso <jbjohnso@8638fb3e-16cb-4fca-ae20-7b5d299a9bcd>
Date: Mon, 14 Jan 2013 16:40:51 +0000
Subject: [PATCH] Have keyUsage and extendedkeyusage set for user/server
 certficates as is befitting each role

git-svn-id: https://svn.code.sf.net/p/xcat/code/xcat-core/trunk@14876 8638fb3e-16cb-4fca-ae20-7b5d299a9bcd
---
 xCAT-server/share/xcat/ca/openssl.cnf.tmpl | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/xCAT-server/share/xcat/ca/openssl.cnf.tmpl b/xCAT-server/share/xcat/ca/openssl.cnf.tmpl
index db3cb702d..ee26a53eb 100644
--- a/xCAT-server/share/xcat/ca/openssl.cnf.tmpl
+++ b/xCAT-server/share/xcat/ca/openssl.cnf.tmpl
@@ -162,6 +162,8 @@ nsCertType			= server, client, objsign
 nsComment			= "OpenSSL Generated Server Certificate"
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid,issuer
+keyUsage = digiatalSignature,KeyAgreement
+extendedKeyUsage = serverAuth
 
 [ usr_cert ]
 
@@ -171,6 +173,8 @@ authorityKeyIdentifier=keyid,issuer
 # requires this to avoid interpreting an end user certificate as a CA.
 
 basicConstraints=CA:FALSE
+keyUsage = digiatalSignature,KeyAgreement
+extendedKeyUsage = clientAuth
 
 # Here are some examples of the usage of nsCertType. If it is omitted
 # the certificate can be used for anything *except* object signing.