From 965db7e3243aecb02f7f57b4fe8dabe9ad50a697 Mon Sep 17 00:00:00 2001
From: Thomas Vanbesien <tvanbesi@proton.me>
Date: Wed, 18 Feb 2026 23:47:23 +0100
Subject: Lower cmake_minimum_required to 3.17 and tidy generate_certificate.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

4.0 was unnecessarily strict — the highest feature used is
foreach(IN ZIP_LISTS) from 3.17.  Also fix the shebang, complete the
Produces header, and document the OPC UA v3_ext requirements.
---
 tools/generate_certificate.sh | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'tools')

diff --git a/tools/generate_certificate.sh b/tools/generate_certificate.sh
index 64ef981..18061f7 100755
--- a/tools/generate_certificate.sh
+++ b/tools/generate_certificate.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 # generate_certificate.sh — Create a self-signed X.509 certificate for
 # open62541 OPC UA applications.  Outputs DER-encoded certificate and
 # private-key files suitable for the demo programs in this project.
@@ -12,6 +12,8 @@
 #   <certs_dir>/<name>_cert.der   — DER-encoded X.509 certificate
 #   <certs_dir>/<name>_cert.pem   — PEM-encoded X.509 certificate
 #   <certs_dir>/<name>_key.der    — DER-encoded RSA private key
+#   <certs_dir>/<name>_key.pem    — PEM-encoded RSA private key
+#   <certs_dir>/<name>.cnf        — OpenSSL config (intermediate, kept for reference)
 
 set -euo pipefail # Fail fast; no unset vars; catch pipe failures.
 
@@ -39,6 +41,9 @@ C  = FR
 O  = Bobink
 CN = ${cn}
 
+# OPC UA Part 6 §6.2.2: application-instance certificates must carry these
+# key usages, both server and client auth, and a URI SAN matching the
+# application URI.
 [v3_ext]
 basicConstraints = CA:FALSE
 keyUsage = digitalSignature, keyEncipherment, nonRepudiation, dataEncipherment
-- 
cgit v1.2.3