[stunnel-users] stunnel.cnf should set keyUsage = keyCertSign

• Previous message (by thread): [stunnel-users] stunnel.cnf should set keyUsage = keyCertSign
• Next message (by thread): [stunnel-users] Tool Information
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Athir Nuaimi wrote:
> Im trying to write a go program to connect to an stunnel server and
> verify the certificate but it fails because the go language requires
> that self-signed certs have keyCertSign set in the keyUsages.  the
> default stunnel.cnf does not set this.  According to the following
> message thread this is required by RFC 5280.
>
> 
> https://groups.google.com/forum/#!msg/golang-nuts/LfLHjVkeSj8/YyP-LSPEytEJ
> [1]
>
> The solution to this is to add keyUsage = keyCertSign to the
> stunnel.cnf.

Good point.  What would be the right options for self-signed SSL certs?

My guess is:

nsCertType       = server
basicConstraints = CA:TRUE,pathlen:0
keyUsage         = keyCertSign
extendedKeyUsage = serverAuth

Mike

• Previous message (by thread): [stunnel-users] stunnel.cnf should set keyUsage = keyCertSign
• Next message (by thread): [stunnel-users] Tool Information
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]