From f1fb50183f4ebf0a935302e01203417721e5759d Mon Sep 17 00:00:00 2001
From: Jakub Czajka <jakub@ekhem.eu.org>
Date: Sat, 3 Jun 2023 10:31:16 +0200
Subject: [PATCH] [ca] Document instructions for email certificates.

---
 ca/README | 20 +++++++++++++++-----
 ca/ca.cnf | 11 +++++++++++
 2 files changed, 26 insertions(+), 5 deletions(-)

diff --git a/ca/README b/ca/README
index 6b2e567..de645f0 100644
--- a/ca/README
+++ b/ca/README
@@ -33,13 +33,22 @@ $ sudo --preserve-env openssl x509 -req -days 365 -sha256 -CA ca.pem \
     -CAkey private/ca.key -next_serial -in certs/<name>.csr -out certs/<name>.crt
 ```
 
-Other output formats are also possible [4].
+Other output formats are also possible [4]. If generting an email certificate,
+add an extensions [5].
+
+```
+$ openssl req -config ca.cnf -new -key certs/private/<name>.key \
+    -out certs/<name>.csr -extensions email_cert
+$ openssl x509 -req -days 365 -sha256 -CA ca.pem -CAkey private/ca.key \
+    -next_serial -in certs/<name>.csr -out certs/<name>.crt \
+    -extensions email_cert
+```
 
 Import
 ------
 
-Transform the certificate and the private key [5]. Upload the result to the
-browser [6].
+Transform the certificate and the private key [6]. Upload the result to the
+browser [7].
 
 ```
 $ openssl pkcs12 -export -inkey <name>.key -in <name>.crt -out <name>.p12
@@ -49,5 +58,6 @@ $ openssl pkcs12 -export -inkey <name>.key -in <name>.crt -out <name>.p12
 [2] https://stackoverflow.com/a/41366949
 [3] https://gist.github.com/croxton/ebfb5f3ac143cd86542788f972434c96
 [4] https://gist.github.com/alexishida/607cca2e51ec356b1fe1909047ec70fd
-[5] https://superuser.com/a/1628622
-[6] https://superuser.com/a/1577753
+[5] https://unix.stackexchange.com/a/348488
+[6] https://superuser.com/a/1628622
+[7] https://superuser.com/a/1577753
diff --git a/ca/ca.cnf b/ca/ca.cnf
index f465f20..e3c2a1b 100644
--- a/ca/ca.cnf
+++ b/ca/ca.cnf
@@ -220,6 +220,17 @@ authorityKeyIdentifier=keyid,issuer
 # This is required for TSA certificates.
 # extendedKeyUsage = critical,timeStamping
 
+[ email_cert ]
+
+basicConstraints=CA:FALSE
+
+nsComment			= "OpenSSL Generated Certificate"
+nsCertType = client, email
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
 [ v3_req ]
 
 # Extensions to add to a certificate request
-- 
2.39.5