samba-mirror

mirror of https://github.com/samba-team/samba.git synced 2025-01-22 22:04:08 +03:00

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

selftest: add some helper scripts to mange a CA This is partly based on the SmartCard HowTo from: https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org> 2016-01-09 01:06:05 +01:00			`#[ usr_cert_scarduser ]`
			`[ template_x509_extensions ]`

			`# These extensions are added when 'ca' signs a request for a certificate that will be used to login from a smart card`

			`# This goes against PKIX guidelines but some CAs do it and some software`
			`# requires this to avoid interpreting an end user certificate as a CA.`

			`basicConstraints=CA:FALSE`
			`crlDistributionPoints=URI:$CRLDISTPT`

			`# For normal client use this is typical`
			`nsCertType = client, email`

			`# This is typical in keyUsage for a client certificate.`
			`keyUsage = nonRepudiation, digitalSignature, keyEncipherment`

			`# This will be displayed in Netscape's comment listbox.`
			`nsComment = "Smart Card Login Certificate for @@USER_PRINCIPAL_NAME@@"`

			`# PKIX recommendations harmless if included in all certificates.`
			`subjectKeyIdentifier=hash`
			`authorityKeyIdentifier=keyid,issuer`

			`# This stuff is for subjectAltName and issuerAltname.`

			`subjectAltName=email:copy,otherName:msUPN;UTF8:@@USER_PRINCIPAL_NAME@@`

			`# Copy subject details`
			`issuerAltName=issuer:copy`

			`nsCaRevocationUrl = $CRLDISTPT`
			`#nsBaseUrl`
			`#nsRevocationUrl`
			`#nsRenewalUrl`
			`#nsCaPolicyUrl`
			`#nsSslServerName`

			`#Extended Key requirements for client certs`
			`extendedKeyUsage = clientAuth,scardLogin`