config.tcl: New profile for devices which can't accept certificate updates.

[ca] / etc / openssl.conf

diff --git a/etc/openssl.conf b/etc/openssl.conf
index 1accc80..1fe673a 100644 (file)
--- a/etc/openssl.conf
+++ b/etc/openssl.conf
@@ -103,7 +103,7 @@ crlDistributionPoints = URI:http://www.distorted.org.uk/ca/crl
 
 [tls-client-extensions]
 basicConstraints = critical, CA:FALSE
-keyUsage = critical, digitalSignature
+keyUsage = critical, digitalSignature, keyEncipherment
 extendedKeyUsage = clientAuth
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always,issuer:always