blob: 8db62df0c9b04a4c47cff0f30d23d15bef4834e5 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
|
# Simple Root & Signing CA
# The [default] section contains global constants that can be referred to from
# the entire configuration file. It may also hold settings pertaining to more
# than one openssl command.
[ default ]
ca = opennic_intermediate_ca
dir = /var/lib/acme2certifier/acme/ca # Top dir
# The next part of the configuration file is used by the openssl req command.
# It defines the CA's key pair, its DN, and the desired extensions for the CA
# certificate.
[ req ]
default_bits = 4096 # RSA key size
encrypt_key = no # Protect private key
default_md = sha1 # MD to use
utf8 = yes # Input is UTF-8
string_mask = utf8only # Emit UTF-8 strings
prompt = no # Don't prompt for DN
distinguished_name = ca_dn # DN section
req_extensions = ca_reqext # Desired extensions
[ ca_dn ]
0.domainComponent = "libre"
1.domainComponent = "acme"
2.domainComponent = "playground"
organizationName = "OpenNIC"
organizationalUnitName = "OpenNIC CA"
commonName = OpenNIC Intermediate CA
[ ca_reqext ]
keyUsage = critical,keyCertSign,cRLSign
basicConstraints = critical,CA:true
subjectKeyIdentifier = hash
# The remainder of the configuration file is used by the openssl ca command.
# The CA section defines the locations of CA assets, as well as the policies
# applying to the CA.
[ opennic_intermediate_ca ]
certificate = $dir/$ca.crt # The CA cert
private_key = $dir/$ca/private/$ca.key # CA private key
new_certs_dir = $dir/$ca # Certificate archive
serial = $dir/$ca/db/$ca.crt.srl # Serial number file
crlnumber = $dir/$ca/db/$ca.crl.srl # CRL number file
database = $dir/$ca/db/$ca.db # Index file
unique_subject = no # Require unique subject
default_days = 60 # How long to certify for
default_md = sha1 # MD to use
policy = match_pol # Default naming policy
email_in_dn = no # Add email to cert DN
preserve = no # Keep passed DN ordering
name_opt = ca_default # Subject DN display options
cert_opt = ca_default # Certificate display options
copy_extensions = copy # Copy extensions from CSR
x509_extensions = email_ext # Default cert extensions
default_crl_days = 7 # How long before next CRL
crl_extensions = crl_ext # CRL extensions
[ opennic_intermediate_ca_ext ]
keyUsage = critical,keyCertSign,cRLSign,digitalSignature
basicConstraints = critical,CA:true,pathlen:0
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
# CRL extensions exist solely to point to the CA certificate that has issued
# the CRL.
[ crl_ext ]
authorityKeyIdentifier = keyid:always
|
