blob: 71674b9c07cc113bf61eddd4f5cef8940f0aae1d (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
#[ usr_cert_scarduser ]
[ template_x509_extensions ]
# These extensions are added when 'ca' signs a request for a certificate that will be used to login from a smart card
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
crlDistributionPoints=URI:$CRLDISTPT
# For normal client use this is typical
nsCertType = client, email
# This is typical in keyUsage for a client certificate.
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "Smart Card Login Certificate for @@USER_PRINCIPAL_NAME@@"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# This stuff is for subjectAltName and issuerAltname.
subjectAltName=email:copy,otherName:msUPN;UTF8:@@USER_PRINCIPAL_NAME@@
# Copy subject details
issuerAltName=issuer:copy
nsCaRevocationUrl = $CRLDISTPT
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
#Extended Key requirements for client certs
extendedKeyUsage = clientAuth,scardLogin
|
