Update the OpenSSL config files for support for loading certs onto the .machine keyring where certain key usage flags must be set. Also update the OpenSSL config files shown in the README. Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxx> --- README | 3 ++- examples/ima-gen-local-ca.sh | 2 +- examples/ima-genkey.sh | 1 + 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/README b/README index ae92f95..9e47eaf 100644 --- a/README +++ b/README @@ -235,6 +235,7 @@ Configuration file x509_evm.genkey: [ myexts ] basicConstraints=critical,CA:FALSE keyUsage=digitalSignature + extendedKeyUsage=critical,codeSigning subjectKeyIdentifier=hash authorityKeyIdentifier=keyid # EOF @@ -287,7 +288,7 @@ Configuration file ima-local-ca.genkey: basicConstraints=CA:TRUE subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer - # keyUsage = cRLSign, keyCertSign + keyUsage = cRLSign, keyCertSign # EOF Generate private key and X509 public key certificate: diff --git a/examples/ima-gen-local-ca.sh b/examples/ima-gen-local-ca.sh index 055463c..6fd4997 100755 --- a/examples/ima-gen-local-ca.sh +++ b/examples/ima-gen-local-ca.sh @@ -19,7 +19,7 @@ emailAddress = ca@ima-ca basicConstraints=CA:TRUE subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer -# keyUsage = cRLSign, keyCertSign +keyUsage = cRLSign, keyCertSign __EOF__ openssl req -new -x509 -utf8 -sha256 -days 3650 -batch -config $GENKEY \ diff --git a/examples/ima-genkey.sh b/examples/ima-genkey.sh index c09205a..00fa648 100755 --- a/examples/ima-genkey.sh +++ b/examples/ima-genkey.sh @@ -20,6 +20,7 @@ basicConstraints=critical,CA:FALSE #basicConstraints=CA:FALSE keyUsage=digitalSignature #keyUsage = nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage=critical,codeSigning subjectKeyIdentifier=hash authorityKeyIdentifier=keyid #authorityKeyIdentifier=keyid,issuer -- 2.39.2
