From 5ed2a3931f726fcbc84494c39eebabae4736e97d Mon Sep 17 00:00:00 2001
From: Erich Eckner <git@eckner.net>
Date: Tue, 26 May 2020 14:29:34 +0200
Subject: acme2certifier: store some ssl.conf, too

---
 acme2certifier/ssl.conf | 72 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 72 insertions(+)
 create mode 100644 acme2certifier/ssl.conf

(limited to 'acme2certifier/ssl.conf')

diff --git a/acme2certifier/ssl.conf b/acme2certifier/ssl.conf
new file mode 100644
index 00000000..8db62df0
--- /dev/null
+++ b/acme2certifier/ssl.conf
@@ -0,0 +1,72 @@
+# Simple Root & Signing CA
+
+# The [default] section contains global constants that can be referred to from
+# the entire configuration file. It may also hold settings pertaining to more
+# than one openssl command.
+
+[ default ]
+ca                      = opennic_intermediate_ca
+dir                     = /var/lib/acme2certifier/acme/ca   # Top dir
+
+# The next part of the configuration file is used by the openssl req command.
+# It defines the CA's key pair, its DN, and the desired extensions for the CA
+# certificate.
+
+[ req ]
+default_bits            = 4096                  # RSA key size
+encrypt_key             = no                    # Protect private key
+default_md              = sha1                  # MD to use
+utf8                    = yes                   # Input is UTF-8
+string_mask             = utf8only              # Emit UTF-8 strings
+prompt                  = no                    # Don't prompt for DN
+distinguished_name      = ca_dn                 # DN section
+req_extensions          = ca_reqext             # Desired extensions
+
+[ ca_dn ]
+0.domainComponent       = "libre"
+1.domainComponent       = "acme"
+2.domainComponent       = "playground"
+organizationName        = "OpenNIC"
+organizationalUnitName  = "OpenNIC CA"
+commonName              = OpenNIC Intermediate CA
+
+[ ca_reqext ]
+keyUsage                = critical,keyCertSign,cRLSign
+basicConstraints        = critical,CA:true
+subjectKeyIdentifier    = hash
+
+# The remainder of the configuration file is used by the openssl ca command.
+# The CA section defines the locations of CA assets, as well as the policies
+# applying to the CA.
+
+[ opennic_intermediate_ca ]
+certificate             = $dir/$ca.crt       # The CA cert
+private_key             = $dir/$ca/private/$ca.key # CA private key
+new_certs_dir           = $dir/$ca           # Certificate archive
+serial                  = $dir/$ca/db/$ca.crt.srl # Serial number file
+crlnumber               = $dir/$ca/db/$ca.crl.srl # CRL number file
+database                = $dir/$ca/db/$ca.db # Index file
+unique_subject          = no                    # Require unique subject
+default_days            = 60                    # How long to certify for
+default_md              = sha1                  # MD to use
+policy                  = match_pol             # Default naming policy
+email_in_dn             = no                    # Add email to cert DN
+preserve                = no                    # Keep passed DN ordering
+name_opt                = ca_default            # Subject DN display options
+cert_opt                = ca_default            # Certificate display options
+copy_extensions         = copy                  # Copy extensions from CSR
+x509_extensions         = email_ext             # Default cert extensions
+default_crl_days        = 7                     # How long before next CRL
+crl_extensions          = crl_ext               # CRL extensions
+
+[ opennic_intermediate_ca_ext ]
+keyUsage                = critical,keyCertSign,cRLSign,digitalSignature
+basicConstraints        = critical,CA:true,pathlen:0
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid:always
+
+# CRL extensions exist solely to point to the CA certificate that has issued
+# the CRL.
+
+[ crl_ext ]
+authorityKeyIdentifier  = keyid:always
-- 
cgit v1.2.3-54-g00ecf