etc/openssl.conf: Allow `keyEncipherment' for TLS clients.

For some reason libvirt doesn't accept client certificates without this,
even though TLS client authentication doesn't involve encipherting keys.

diff --git a/etc/openssl.conf b/etc/openssl.conf
index 4fa74a5a6706400788d64dbd3d825cccd59f7a83..847b1f5295376605fbbafe4d495e5a851f4061de 100644 (file)
--- a/etc/openssl.conf
+++ b/etc/openssl.conf
@@ -103,7 +103,7 @@ crlDistributionPoints = URI:http://www.distorted.org.uk/ca/crl
 
 [tls-client-extensions]
 basicConstraints = critical, CA:FALSE
-keyUsage = critical, digitalSignature
+keyUsage = critical, digitalSignature, keyEncipherment
 extendedKeyUsage = clientAuth
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always,issuer:always