Update OpenSSL config files for support for .machine keyring

Update the OpenSSL config files for support for loading certs onto the .machine keyring where certain key usage flags must be set. Also update the OpenSSL config files shown in the README. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
2025-04-27 22:32:31 +02:00 · 2023-04-26 18:35:57 -04:00 · 2023-04-26 18:35:57 -04:00 · 9f669a6b38
commit 9f669a6b38
parent 6e1b9b1521
3 changed files with 4 additions and 2 deletions
--- a/3
+++ b/3
@ -235,6 +235,7 @@ Configuration file x509_evm.genkey:
 	[ myexts ]
 	basicConstraints=critical,CA:FALSE
 	keyUsage=digitalSignature
+	extendedKeyUsage=critical,codeSigning
 	subjectKeyIdentifier=hash
 	authorityKeyIdentifier=keyid
 	# EOF
@ -287,7 +288,7 @@ Configuration file ima-local-ca.genkey:
 	basicConstraints=CA:TRUE
 	subjectKeyIdentifier=hash
 	authorityKeyIdentifier=keyid:always,issuer
-	# keyUsage = cRLSign, keyCertSign
+	keyUsage = cRLSign, keyCertSign
 	# EOF

 Generate private key and X509 public key certificate:
--- a/examples/ima-gen-local-ca.sh
+++ b/examples/ima-gen-local-ca.sh
@ -19,7 +19,7 @@ emailAddress = ca@ima-ca
 basicConstraints=CA:TRUE
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid:always,issuer
-# keyUsage = cRLSign, keyCertSign
+keyUsage = cRLSign, keyCertSign
 __EOF__

 openssl req -new -x509 -utf8 -sha256 -days 3650 -batch -config $GENKEY \
--- a/examples/ima-genkey.sh
+++ b/examples/ima-genkey.sh
@ -20,6 +20,7 @@ basicConstraints=critical,CA:FALSE
 #basicConstraints=CA:FALSE
 keyUsage=digitalSignature
 #keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage=critical,codeSigning
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid
 #authorityKeyIdentifier=keyid,issuer