make EC test certificates usable for ECDH

diff --git a/demos/certs/apps/apps.cnf b/demos/certs/apps/apps.cnf
index 99cb398742a48f1d93684da8fc90d0efe6369725..a5da21678e246f700e56e2251e5b9feb8f7fb773 100644 (file)
--- a/demos/certs/apps/apps.cnf
+++ b/demos/certs/apps/apps.cnf
@@ -39,6 +39,17 @@ keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment
 # This will be displayed in Netscape's comment listbox.
 nsComment                      = "OpenSSL Generated Certificate"
 
+[ ec_cert ]
+
+# These extensions are added when 'ca' signs a request for an end entity
+# certificate
+
+basicConstraints=critical, CA:FALSE
+keyUsage=critical, nonRepudiation, digitalSignature, keyAgreement
+
+# This will be displayed in Netscape's comment listbox.
+nsComment                      = "OpenSSL Generated Certificate"
+
 # PKIX recommendations harmless if included in all certificates.
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid

diff --git a/demos/certs/apps/mkxcerts.sh b/demos/certs/apps/mkxcerts.sh
index 88fb1c57c7489dcae29d27ed6a4496a9a49ae2ea..0f88a48fb8483861f245a49b7e61b03d9cab8a46 100644 (file)
--- a/demos/certs/apps/mkxcerts.sh
+++ b/demos/certs/apps/mkxcerts.sh
@@ -19,11 +19,11 @@ $OPENSSL ecparam -name P-256 -out ecp256.pem
 $OPENSSL ecparam -name P-384 -out ecp384.pem
 
 CN="OpenSSL Test P-256 SHA-256 cert" $OPENSSL req \
-       -config apps.cnf -extensions usr_cert -x509 -nodes \
+       -config apps.cnf -extensions ec_cert -x509 -nodes \
        -nodes -keyout tecp256.pem -out tecp256.pem -newkey ec:ecp256.pem \
        -days 3650 -sha256
 
 CN="OpenSSL Test P-384 SHA-384 cert" $OPENSSL req \
-       -config apps.cnf -extensions usr_cert -x509 -nodes \
+       -config apps.cnf -extensions ec_cert -x509 -nodes \
        -nodes -keyout tecp384.pem -out tecp384.pem -newkey ec:ecp384.pem \
        -days 3650 -sha384