--- /usr/share/openvpn/easy-rsa/openssl.cnf	2010-05-17 14:51:02.000000000 +0200
+++ openssl.cnf	2010-05-17 14:36:05.000000000 +0200
@@ -173,7 +173,7 @@
 # the certificate can be used for anything *except* object signing.
 
 # This is OK for an SSL server.
-# nsCertType			= server
+# nsCertType			= client, server, email
 
 # For an object signing certificate this would be used.
 # nsCertType = objsign
@@ -182,7 +182,7 @@
 # nsCertType = client, email
 
 # and for everything including object signing:
-# nsCertType = client, email, objsign
+# nsCertType = server, client, email, objsign
 
 # This is typical in keyUsage for a client certificate.
 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
@@ -193,8 +193,9 @@
 # PKIX recommendations harmless if included in all certificates.
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid,issuer:always
-extendedKeyUsage=clientAuth
-keyUsage = digitalSignature
+extendedKeyUsage=clientAuth,serverAuth
+#extendedKeyUsage=clientAuth,serverAuth,ipsecUser,ipsecTunnel,ipsecEndSystem
+keyUsage = digitalSignature, keyEncipherment
 
 # This stuff is for subjectAltName and issuerAltname.
 # Import the email address.