mirror of
https://github.com/samba-team/samba.git
synced 2025-01-05 09:18:06 +03:00
b0bdbeeef4
This is partly based on the SmartCard HowTo from: https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
50 lines
1.5 KiB
INI
50 lines
1.5 KiB
INI
#[ usr_cert_mskdc ]
|
|
[ template_x509_extensions ]
|
|
|
|
# These extensions are added when 'ca' signs a request for a domain controller certificate.
|
|
|
|
# This goes against PKIX guidelines but some CAs do it and some software
|
|
# requires this to avoid interpreting an end user certificate as a CA.
|
|
|
|
basicConstraints=CA:FALSE
|
|
crlDistributionPoints=URI:$CRLDISTPT
|
|
|
|
# Here are some examples of the usage of nsCertType. If it is omitted
|
|
# the certificate can be used for anything *except* object signing.
|
|
|
|
# This is OK for an SSL server.
|
|
nsCertType = server
|
|
|
|
# This is typical in keyUsage for a client certificate.
|
|
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
|
|
|
# This will be displayed in Netscape's comment listbox.
|
|
nsComment = "Domain Controller Certificate @@DC_DNS_NAME@@"
|
|
|
|
# PKIX recommendations harmless if included in all certificates.
|
|
subjectKeyIdentifier=hash
|
|
authorityKeyIdentifier=keyid,issuer
|
|
|
|
# This stuff is for subjectAltName and issuerAltname.
|
|
|
|
subjectAltName=@dc_subjalt
|
|
|
|
# Copy subject details
|
|
issuerAltName=issuer:copy
|
|
|
|
nsCaRevocationUrl = $CRLDISTPT
|
|
#nsBaseUrl
|
|
#nsRevocationUrl
|
|
#nsRenewalUrl
|
|
#nsCaPolicyUrl
|
|
#nsSslServerName
|
|
|
|
#Extended Key requirements for our domain controller certs
|
|
# serverAuth - says cert can be used to identify an ssl/tls server
|
|
# msKDC - says cert can be used to identify a Kerberos Domain Controller.
|
|
extendedKeyUsage = clientAuth,serverAuth,msKDC
|
|
|
|
[dc_subjalt]
|
|
DNS=@@DC_DNS_NAME@@
|
|
otherName=msADGUID;FORMAT:HEX,OCTETSTRING:@@DC_OBJECTGUID_HEX@@
|