make EC test certificates usable for ECDH

2 files changed, 13 insertions, 2 deletions

diff --git a/demos/certs/apps/apps.cnf b/demos/certs/apps/apps.cnf
index 99cb398742..a5da21678e 100644
--- a/demos/certs/apps/apps.cnf
+++ b/demos/certs/apps/apps.cnf
@@ -39,6 +39,17 @@ keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment
 # This will be displayed in Netscape's comment listbox.
 nsComment			= "OpenSSL Generated Certificate"
 
+[ ec_cert ]
+
+# These extensions are added when 'ca' signs a request for an end entity
+# certificate
+
+basicConstraints=critical, CA:FALSE
+keyUsage=critical, nonRepudiation, digitalSignature, keyAgreement
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+
 # PKIX recommendations harmless if included in all certificates.
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid
diff --git a/demos/certs/apps/mkxcerts.sh b/demos/certs/apps/mkxcerts.sh
index 88fb1c57c7..0f88a48fb8 100644
--- a/demos/certs/apps/mkxcerts.sh
+++ b/demos/certs/apps/mkxcerts.sh
@@ -19,11 +19,11 @@ $OPENSSL ecparam -name P-256 -out ecp256.pem
 $OPENSSL ecparam -name P-384 -out ecp384.pem
 
 CN="OpenSSL Test P-256 SHA-256 cert" $OPENSSL req \
-	-config apps.cnf -extensions usr_cert -x509 -nodes \
+	-config apps.cnf -extensions ec_cert -x509 -nodes \
 	-nodes -keyout tecp256.pem -out tecp256.pem -newkey ec:ecp256.pem \
 	-days 3650 -sha256
 
 CN="OpenSSL Test P-384 SHA-384 cert" $OPENSSL req \
-	-config apps.cnf -extensions usr_cert -x509 -nodes \
+	-config apps.cnf -extensions ec_cert -x509 -nodes \
 	-nodes -keyout tecp384.pem -out tecp384.pem -newkey ec:ecp384.pem \
 	-days 3650 -sha384