1 files changed, 38 insertions, 4 deletions
diff --git a/BaseTools/Source/Python/Pkcs7Sign/Readme.md b/BaseTools/Source/Python/Pkcs7Sign/Readme.md
index c904907000..fee0327876 100644
--- a/BaseTools/Source/Python/Pkcs7Sign/Readme.md
+++ b/BaseTools/Source/Python/Pkcs7Sign/Readme.md
@@ -21,10 +21,44 @@ You may need the following steps for initialization:
 
     rd ./demoCA /S/Q
     mkdir ./demoCA
-    echo "" > ./demoCA/index.txt
+    echo.>./demoCA/index.txt
     echo 01 > ./demoCA/serial
     mkdir ./demoCA/newcerts
 
+OpenSSL will apply the options from the specified sections in openssl.cnf when creating certificates or certificate signing requests. Make sure your configuration in openssl.cnf is correct and rational for certificate constraints.
+The following sample sections were used when generating test certificates in this readme.
+    ...
+    [ req ]
+    default_bits        = 2048
+    default_keyfile     = privkey.pem
+    distinguished_name  = req_distinguished_name
+    attributes          = req_attributes
+    x509_extensions     = v3_ca       # The extensions to add to the self signed cert
+    ...
+    [ v3_ca ]
+    # Extensions for a typical Root CA.
+    subjectKeyIdentifier=hash
+    authorityKeyIdentifier=keyid:always,issuer
+    basicConstraints = critical,CA:true
+    keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+    ...
+    [ v3_intermediate_ca ]
+    # Extensions for a typical intermediate CA.
+    subjectKeyIdentifier = hash
+    authorityKeyIdentifier = keyid:always,issuer
+    basicConstraints = critical, CA:true
+    keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+    ...
+    [ usr_cert ]
+    # Extensions for user end certificates.
+    basicConstraints = CA:FALSE
+    nsCertType = client, email
+    subjectKeyIdentifier = hash
+    authorityKeyIdentifier = keyid,issuer
+    keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+    extendedKeyUsage = clientAuth, emailProtection
+    ...
+
 * Generate the certificate chain:
 
 NOTE: User MUST set a UNIQUE "Common Name" on the different certificate
@@ -37,7 +71,7 @@ Generate a root key:
 
 Generate a self-signed root certificate:
 
-    openssl req -new -x509 -days 3650 -key TestRoot.key -out TestRoot.crt
+    openssl req -extensions v3_ca -new -x509 -days 3650 -key TestRoot.key -out TestRoot.crt
     openssl x509 -in TestRoot.crt -out TestRoot.cer -outform DER
     openssl x509 -inform DER -in TestRoot.cer -outform PEM -out TestRoot.pub.pem
 
@@ -50,7 +84,7 @@ Generate the intermediate key:
 Generate the intermediate certificate:
 
     openssl req -new -days 3650 -key TestSub.key -out TestSub.csr
-    openssl ca -extensions v3_ca -in TestSub.csr -days 3650 -out TestSub.crt -cert TestRoot.crt -keyfile TestRoot.key
+    openssl ca -extensions v3_intermediate_ca -in TestSub.csr -days 3650 -out TestSub.crt -cert TestRoot.crt -keyfile TestRoot.key
     openssl x509 -in TestSub.crt -out TestSub.cer -outform DER
     openssl x509 -inform DER -in TestSub.cer -outform PEM -out TestSub.pub.pem
 
@@ -63,7 +97,7 @@ Generate User key:
 Generate User certificate:
 
     openssl req -new -days 3650 -key TestCert.key -out TestCert.csr
-    openssl ca -in TestCert.csr -days 3650 -out TestCert.crt -cert TestSub.crt -keyfile TestSub.key`
+    openssl ca -extensions usr_cert -in TestCert.csr -days 3650 -out TestCert.crt -cert TestSub.crt -keyfile TestSub.key
     openssl x509 -in TestCert.crt -out TestCert.cer -outform DER
     openssl x509 -inform DER -in TestCert.cer -outform PEM -out TestCert.pub.pem