# cd /root/ca # openssl req -config openssl.cnf \-key private/ca.key.pem \-new -x509 -days 7300-sha256 -extensions v3_ca \-out certs/ca.cert.pem Enter pass phrase for ca.key.pem: secretpassword You are about to be asked to enter information that will be incorporated into your certificate request.
OpenSSL - User - How to set nsCertType=SERVER for a server In that openssl.cnf file add section section [server] (actually that name probably does not matter) and in it add a line nsCertType=server and when signing a request, add to command line -extensions server (at least that appears, what easyrsa script was doing) openssl.cnf · GitHub # nsCertType = client, email # and for everything including object signing: # nsCertType = client, email, objsign # This is typical in keyUsage for a client certificate. # keyUsage = nonRepudiation, digitalSignature, keyEncipherment # This will be displayed in Netscape's comment listbox. nsComment = "OpenSSL Generated Certificate" OpenSSL (Keys and Certificates) · HOWTO setup a small OpenSSL Helper Tools. You can use one of the numerous scripts and tools for easier key and certificate management (e.g., easy-rsa which is shipped with OpenVPN). To make your decision even a bit harder, I also wrote such a tool (ssl-util.sh).More details are given by the tools.
Creating Self-Signed SSL Server Certificate with NSS - Dogtag
The nsCertType x509 extension is very old, and barely used. We already have had an alternative for a long time: --remote-cert-tls uses the far more common keyUsage and extendedKeyUsage extensions instead. OpenSSL 1.1 longer exposes an API to (separately) check the nsCertType x509 extension. OpenSSL - ArchWiki OpenSSL is an open-source implementation of the SSL and TLS protocols, dual-licensed under the OpenSSL (Apache License 1.0) and the SSLeay (4-clause BSD) licenses. It is supported on a variety of platforms, including BSD, Linux, OpenVMS, Solaris and Windows. It is designed to be as flexible as possible, and is free to use for both personal and commercial uses. HOWTO – Setup a Fips Compliant Root Certificate Authority
nsCertType = server. nsComment = "OpenSSL Generated Server Certificate" subjectKeyIdentifier = hash. authorityKeyIdentifier = keyid,issuer:always. keyUsage = critical, digitalSignature, keyEncipherment. extendedKeyUsage = serverAuth. Create the CA. For this document we will be using OpenSSL …
certificates - SSL Cert Types and Key Usage - Information nsCertType is an old Netscape-specific extension, which was used by the Netscape browser at a time when that browser was still alive. You can forget it nowadays. The signing CA, by principle, acts in any way as it sees fit. It can put whatever it wishes in your certificate.