diff options
| author | Erich Eckner <git@eckner.net> | 2020-05-26 14:29:34 +0200 |
|---|---|---|
| committer | Erich Eckner <git@eckner.net> | 2020-05-26 14:29:34 +0200 |
| commit | 5ed2a3931f726fcbc84494c39eebabae4736e97d (patch) | |
| tree | fc3993a17687b93abdec8def7324899e85277818 /acme2certifier/ssl.conf | |
| parent | 0df288fe76483055999912c0dffceb4e9b381b71 (diff) | |
| download | archlinuxewe.git.save-5ed2a3931f726fcbc84494c39eebabae4736e97d.tar.xz | |
acme2certifier: store some ssl.conf, too
Diffstat (limited to 'acme2certifier/ssl.conf')
| -rw-r--r-- | acme2certifier/ssl.conf | 72 |
1 files changed, 72 insertions, 0 deletions
diff --git a/acme2certifier/ssl.conf b/acme2certifier/ssl.conf new file mode 100644 index 00000000..8db62df0 --- /dev/null +++ b/acme2certifier/ssl.conf @@ -0,0 +1,72 @@ +# Simple Root & Signing CA + +# The [default] section contains global constants that can be referred to from +# the entire configuration file. It may also hold settings pertaining to more +# than one openssl command. + +[ default ] +ca = opennic_intermediate_ca +dir = /var/lib/acme2certifier/acme/ca # Top dir + +# The next part of the configuration file is used by the openssl req command. +# It defines the CA's key pair, its DN, and the desired extensions for the CA +# certificate. + +[ req ] +default_bits = 4096 # RSA key size +encrypt_key = no # Protect private key +default_md = sha1 # MD to use +utf8 = yes # Input is UTF-8 +string_mask = utf8only # Emit UTF-8 strings +prompt = no # Don't prompt for DN +distinguished_name = ca_dn # DN section +req_extensions = ca_reqext # Desired extensions + +[ ca_dn ] +0.domainComponent = "libre" +1.domainComponent = "acme" +2.domainComponent = "playground" +organizationName = "OpenNIC" +organizationalUnitName = "OpenNIC CA" +commonName = OpenNIC Intermediate CA + +[ ca_reqext ] +keyUsage = critical,keyCertSign,cRLSign +basicConstraints = critical,CA:true +subjectKeyIdentifier = hash + +# The remainder of the configuration file is used by the openssl ca command. +# The CA section defines the locations of CA assets, as well as the policies +# applying to the CA. + +[ opennic_intermediate_ca ] +certificate = $dir/$ca.crt # The CA cert +private_key = $dir/$ca/private/$ca.key # CA private key +new_certs_dir = $dir/$ca # Certificate archive +serial = $dir/$ca/db/$ca.crt.srl # Serial number file +crlnumber = $dir/$ca/db/$ca.crl.srl # CRL number file +database = $dir/$ca/db/$ca.db # Index file +unique_subject = no # Require unique subject +default_days = 60 # How long to certify for +default_md = sha1 # MD to use +policy = match_pol # Default naming policy +email_in_dn = no # Add email to cert DN +preserve = no # Keep passed DN ordering +name_opt = ca_default # Subject DN display options +cert_opt = ca_default # Certificate display options +copy_extensions = copy # Copy extensions from CSR +x509_extensions = email_ext # Default cert extensions +default_crl_days = 7 # How long before next CRL +crl_extensions = crl_ext # CRL extensions + +[ opennic_intermediate_ca_ext ] +keyUsage = critical,keyCertSign,cRLSign,digitalSignature +basicConstraints = critical,CA:true,pathlen:0 +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always + +# CRL extensions exist solely to point to the CA certificate that has issued +# the CRL. + +[ crl_ext ] +authorityKeyIdentifier = keyid:always |