Re: [stunnel-users] stunnel.cnf should set keyUsage = keyCertSign

Athir Nuaimi wrote:

Im trying to write a go program to connect to an stunnel server and verify the certificate but it fails because the go language requires that self-signed certs have keyCertSign set in the keyUsages.  the default stunnel.cnf does not set this.  According to the following message thread this is required by RFC 5280.

https://groups.google.com/forum/#!msg/golang-nuts/LfLHjVkeSj8/YyP-LSPEytEJ [1]

The solution to this is to add keyUsage = keyCertSign to the stunnel.cnf.

Good point. What would be the right options for self-signed SSL certs?

My guess is:

nsCertType = server basicConstraints = CA:TRUE,pathlen:0 keyUsage = keyCertSign extendedKeyUsage = serverAuth

Mike