upd: enforce serverAuth EKU for SSL-pings

[gigi.git] / src / org / cacert / gigi / pages / account / domain / PingConfigForm.templ

diff --git a/src/org/cacert/gigi/pages/account/domain/PingConfigForm.templ b/src/org/cacert/gigi/pages/account/domain/PingConfigForm.templ
index 7d2eb5dc8412622dc1790c4bbaa4800694a42318..ff7c824b08459af219f4c050cc13f7924a39c431 100644 (file)
--- a/src/org/cacert/gigi/pages/account/domain/PingConfigForm.templ
+++ b/src/org/cacert/gigi/pages/account/domain/PingConfigForm.templ
@@ -28,7 +28,11 @@
   <div class="panel-heading"><input type="checkbox" name="SSLType" value="y"<?=$!ssl?>> <?=_Verify by searching for installed certificate.?></div>
   <div class="panel-body">
     <?=_Please list up to four services using your certificate. You need to have one of them up and using a valid SomeCA certificate or a specific self-signed certificate in order to pass this test?>:
-    <?=_The self-signed certificate needs to contain your domain as CN and ${tokenValue} as organization unit. With $!{openSSLHelp} OpenSSL command line utilities can generate such a certificate.?>:
+    <?=_The self-signed certificate needs to contain your domain as CN and ${tokenValue} as organization unit.?> <?=_You can use these commands to create such a certificate:?>
+    <code>
+openssl req -newkey rsa:4096 -subj "/CN=<span class='exampleDomain'>example.org</span>/OU=<?=$tokenValue?>" -nodes -out myCSR -keyout myKey<br>
+openssl x509 -req -in myCSR -signkey myKey -out myCert -extfile &lt;(printf 'extendedKeyUsage = serverAuth\n')
+    </code>
     <table>
     <? foreach($ssl-services){ ?>
     <tr><td><select name='ssl-type-<?=$i?>'>