X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=apps%2Fopenssl.cnf;h=7d1a8bb6e7f06b7abf6df53dca4e3170b7fdd2f6;hp=53c4bef04481f40ab70e7c2cec9eee45357ff05b;hb=c190506cd827221a861c3207ae2496ea1ec7a1fd;hpb=2cc7acd273bc39f1360aed52400d18bb65b88a95

diff --git a/apps/openssl.cnf b/apps/openssl.cnf
index 53c4bef044..7d1a8bb6e7 100644
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
@@ -3,6 +3,10 @@
 # This is mostly being used for generation of certificate requests.
 #
 
+# Note that you can include other files from the main configuration
+# file using the .include directive.
+#.include filename
+
 # This definition stops the following lines choking if HOME isn't
 # defined.
 HOME			= .
@@ -233,11 +237,7 @@ subjectKeyIdentifier=hash
 
 authorityKeyIdentifier=keyid:always,issuer
 
-# This is what PKIX recommends but some broken software chokes on critical
-# extensions.
-#basicConstraints = critical,CA:true
-# So we do this instead.
-basicConstraints = CA:true
+basicConstraints = critical,CA:true
 
 # Key usage: this is typical for a CA certificate. However since it will
 # prevent it being used as an test self-signed certificate it is best
@@ -348,3 +348,5 @@ tsa_name		= yes	# Must the TSA name be included in the reply?
 				# (optional, default: no)
 ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
 				# (optional, default: no)
+ess_cert_id_alg		= sha1	# algorithm to compute certificate
+				# identifier (optional, default: sha1)