2 files changed, 7 insertions, 2 deletions

diff --git a/CMakeLists.txt b/CMakeLists.txt
index a3a43f5..a86cb77 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -10,7 +10,7 @@
 # All programs link against common (shared helpers and config parser) which in
 # turn depends on open62541.
 
-cmake_minimum_required(VERSION 4.0)
+cmake_minimum_required(VERSION 3.17)
 project(BobinkOpcUaC C)
 
 set(CMAKE_C_STANDARD 11)
diff --git a/tools/generate_certificate.sh b/tools/generate_certificate.sh
index 64ef981..18061f7 100755
--- a/tools/generate_certificate.sh
+++ b/tools/generate_certificate.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 # generate_certificate.sh — Create a self-signed X.509 certificate for
 # open62541 OPC UA applications.  Outputs DER-encoded certificate and
 # private-key files suitable for the demo programs in this project.
@@ -12,6 +12,8 @@
 #   <certs_dir>/<name>_cert.der   — DER-encoded X.509 certificate
 #   <certs_dir>/<name>_cert.pem   — PEM-encoded X.509 certificate
 #   <certs_dir>/<name>_key.der    — DER-encoded RSA private key
+#   <certs_dir>/<name>_key.pem    — PEM-encoded RSA private key
+#   <certs_dir>/<name>.cnf        — OpenSSL config (intermediate, kept for reference)
 
 set -euo pipefail # Fail fast; no unset vars; catch pipe failures.
 
@@ -39,6 +41,9 @@ C  = FR
 O  = Bobink
 CN = ${cn}
 
+# OPC UA Part 6 §6.2.2: application-instance certificates must carry these
+# key usages, both server and client auth, and a URI SAN matching the
+# application URI.
 [v3_ext]
 basicConstraints = CA:FALSE
 keyUsage = digitalSignature, keyEncipherment, nonRepudiation, dataEncipherment