@@ -235,6 +235,7 @@ Configuration file x509_evm.genkey:
[ myexts ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
+ extendedKeyUsage=critical,codeSigning
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
# EOF
@@ -287,7 +288,7 @@ Configuration file ima-local-ca.genkey:
basicConstraints=CA:TRUE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
- # keyUsage = cRLSign, keyCertSign
+ keyUsage = cRLSign, keyCertSign
# EOF
Generate private key and X509 public key certificate:
@@ -19,7 +19,7 @@ emailAddress = ca@ima-ca
basicConstraints=CA:TRUE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
-# keyUsage = cRLSign, keyCertSign
+keyUsage = cRLSign, keyCertSign
__EOF__
openssl req -new -x509 -utf8 -sha256 -days 3650 -batch -config $GENKEY \
@@ -20,6 +20,7 @@ basicConstraints=critical,CA:FALSE
#basicConstraints=CA:FALSE
keyUsage=digitalSignature
#keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage=critical,codeSigning
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
#authorityKeyIdentifier=keyid,issuer
Update the OpenSSL config files for support for loading certs onto the .machine keyring where certain key usage flags must be set. Also update the OpenSSL config files shown in the README. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> --- README | 3 ++- examples/ima-gen-local-ca.sh | 2 +- examples/ima-genkey.sh | 1 + 3 files changed, 4 insertions(+), 2 deletions(-)