X-Git-Url: https://git.openssl.org/gitweb/?a=blobdiff_plain;f=apps%2Fopenssl.cnf;h=32ee9e9fbbba56f8cb8590766796fd0c88c520af;hb=89a01e692f41cd4f048e706547c61a38342df604;hp=53c4bef04481f40ab70e7c2cec9eee45357ff05b;hpb=2cc7acd273bc39f1360aed52400d18bb65b88a95;p=openssl.git

diff --git a/apps/openssl.cnf b/apps/openssl.cnf
index 53c4bef044..32ee9e9fbb 100644
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
@@ -233,11 +233,7 @@ subjectKeyIdentifier=hash
 
 authorityKeyIdentifier=keyid:always,issuer
 
-# This is what PKIX recommends but some broken software chokes on critical
-# extensions.
-#basicConstraints = critical,CA:true
-# So we do this instead.
-basicConstraints = CA:true
+basicConstraints = critical,CA:true
 
 # Key usage: this is typical for a CA certificate. However since it will
 # prevent it being used as an test self-signed certificate it is best
@@ -348,3 +344,5 @@ tsa_name		= yes	# Must the TSA name be included in the reply?
 				# (optional, default: no)
 ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
 				# (optional, default: no)
+ess_cert_id_alg		= sha1	# algorithm to compute certificate
+				# identifier (optional, default: sha1)