From a6df72cfc8a61d43585a80a5b2b1f2de4282986d Mon Sep 17 00:00:00 2001
From: Aldo Cortesi <aldo@nullcube.com>
Date: Tue, 27 Mar 2012 17:01:18 +1300
Subject: [PATCH] Generate better-formed CAs.

If you're having trouble with your certs in Firefox, you may want to delete
your .mitmproxy directory to re-generate the CA.
---
 libmproxy/certutils.py | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/libmproxy/certutils.py b/libmproxy/certutils.py
index b807e483b..aae0d7ab8 100644
--- a/libmproxy/certutils.py
+++ b/libmproxy/certutils.py
@@ -12,9 +12,10 @@ def create_ca():
     key = OpenSSL.crypto.PKey()
     key.generate_key(OpenSSL.crypto.TYPE_RSA, 1024)
     ca = OpenSSL.crypto.X509()
-    ca.set_version(3)
+    ca.set_serial_number(int(time.time()*10000))
+    ca.set_version(2)
     ca.get_subject().CN = "mitmproxy"
-    ca.get_subject().OU = "mitmproxy"
+    ca.get_subject().O = "mitmproxy"
     ca.gmtime_adj_notBefore(0)
     ca.gmtime_adj_notAfter(24 * 60 * 60 * 720)
     ca.set_issuer(ca.get_subject())
@@ -27,7 +28,7 @@ def create_ca():
       OpenSSL.crypto.X509Extension("extendedKeyUsage", True,
                                     "serverAuth,clientAuth,emailProtection,timeStamping,msCodeInd,msCodeCom,msCTLSign,msSGC,msEFS,nsSGC"
                                     ),
-      OpenSSL.crypto.X509Extension("keyUsage", True,
+      OpenSSL.crypto.X509Extension("keyUsage", False,
                                    "keyCertSign, cRLSign"),
       OpenSSL.crypto.X509Extension("subjectKeyIdentifier", False, "hash",
                                    subject=ca),