Lower cmake_minimum_required to 3.17 and tidy generate_certificate.sh

4.0 was unnecessarily strict — the highest feature used is
foreach(IN ZIP_LISTS) from 3.17.  Also fix the shebang, complete the
Produces header, and document the OPC UA v3_ext requirements.

1 files changed, 6 insertions, 1 deletions

diff --git a/tools/generate_certificate.sh b/tools/generate_certificate.sh
index 64ef981..18061f7 100755
--- a/tools/generate_certificate.sh
+++ b/tools/generate_certificate.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 # generate_certificate.sh — Create a self-signed X.509 certificate for
 # open62541 OPC UA applications.  Outputs DER-encoded certificate and
 # private-key files suitable for the demo programs in this project.
@@ -12,6 +12,8 @@
 #   <certs_dir>/<name>_cert.der   — DER-encoded X.509 certificate
 #   <certs_dir>/<name>_cert.pem   — PEM-encoded X.509 certificate
 #   <certs_dir>/<name>_key.der    — DER-encoded RSA private key
+#   <certs_dir>/<name>_key.pem    — PEM-encoded RSA private key
+#   <certs_dir>/<name>.cnf        — OpenSSL config (intermediate, kept for reference)
 
 set -euo pipefail # Fail fast; no unset vars; catch pipe failures.
 
@@ -39,6 +41,9 @@ C  = FR
 O  = Bobink
 CN = ${cn}
 
+# OPC UA Part 6 §6.2.2: application-instance certificates must carry these
+# key usages, both server and client auth, and a URI SAN matching the
+# application URI.
 [v3_ext]
 basicConstraints = CA:FALSE
 keyUsage = digitalSignature, keyEncipherment, nonRepudiation, dataEncipherment