James Yonan wrote:
I agree that offering an option to check nsCertType is a good idea, I will
add this to the list.
FYI - I wouldn't rely totally on nsCertType as that is Netscape-specific
(although commonly set as they invented SSL!). I'm assuming here that
most people would use the self-signed certs or a openssl-generated CA -
so that choice would be fine - as you just tell users what to do. But
some users might already have an existing PKI infrastructure and want to
use certs signed by that. So yes - set nsCertType accordingly - but I'd
suggest you also use the extendedKeyUsage field to set "serverAuth" and
"clientAuth" appropriately.
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users
|