From: Mark Wooding <mdw@distorted.org.uk>
Date: Sat, 1 Dec 2012 19:50:08 +0000 (+0000)
Subject: etc/openssl.conf: Allow `keyEncipherment' for TLS clients.
X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~mdw/git/ca/commitdiff_plain/fef9ff136f75dd48f95812ed39e1bd59b69d3a10

etc/openssl.conf: Allow `keyEncipherment' for TLS clients.

For some reason libvirt doesn't accept client certificates without this,
even though TLS client authentication doesn't involve encipherting keys.
---

diff --git a/etc/openssl.conf b/etc/openssl.conf
index 4fa74a5..847b1f5 100644
--- a/etc/openssl.conf
+++ b/etc/openssl.conf
@@ -103,7 +103,7 @@ crlDistributionPoints = URI:http://www.distorted.org.uk/ca/crl
 
 [tls-client-extensions]
 basicConstraints = critical, CA:FALSE
-keyUsage = critical, digitalSignature
+keyUsage = critical, digitalSignature, keyEncipherment
 extendedKeyUsage = clientAuth
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always,issuer:always