summaryrefslogtreecommitdiff
path: root/etc
diff options
context:
space:
mode:
authorErich Eckner <git@eckner.net>2019-09-02 10:45:14 +0200
committerErich Eckner <git@eckner.net>2019-09-02 12:03:10 +0200
commit70171c27198eaafbc16ec7c65706eab7485916f4 (patch)
treead5de2576012e1ce048e9fdd22002d8253563a67 /etc
parent4cb7f201a74ebd1709f544f79cdff6855f853e0d (diff)
downloadsimple-pki-70171c27198eaafbc16ec7c65706eab7485916f4.tar.xz
merge ca configs
Diffstat (limited to 'etc')
-rw-r--r--etc/ca.conf (renamed from etc/signing-ca.conf)44
-rw-r--r--etc/root-ca.conf102
2 files changed, 38 insertions, 108 deletions
diff --git a/etc/signing-ca.conf b/etc/ca.conf
index ebba5d0..0b768e0 100644
--- a/etc/signing-ca.conf
+++ b/etc/ca.conf
@@ -1,11 +1,11 @@
-# Simple Signing CA
+# Simple Root & Signing CA
# The [default] section contains global constants that can be referred to from
# the entire configuration file. It may also hold settings pertaining to more
# than one openssl command.
[ default ]
-ca = signing-ca # CA name
+ca = $ENV::CA
dir = . # Top dir
# The next part of the configuration file is used by the openssl req command.
@@ -27,19 +27,36 @@ req_extensions = ca_reqext # Desired extensions
1.domainComponent = "eckner"
organizationName = "Eckner Net"
organizationalUnitName = "Eckner Net CA"
-commonName = "Eckner Net Signing CA"
+commonName = "Eckner Net Root CA"
[ ca_reqext ]
keyUsage = critical,keyCertSign,cRLSign
-basicConstraints = critical,CA:true,pathlen:0
+basicConstraints = critical,CA:true
subjectKeyIdentifier = hash
# The remainder of the configuration file is used by the openssl ca command.
# The CA section defines the locations of CA assets, as well as the policies
# applying to the CA.
-[ ca ]
-default_ca = signing_ca # The default CA section
+[ root_ca ]
+certificate = $dir/ca/$ca.crt # The CA cert
+private_key = $dir/ca/$ca/private/$ca.key # CA private key
+new_certs_dir = $dir/ca/$ca # Certificate archive
+serial = $dir/ca/$ca/db/$ca.crt.srl # Serial number file
+crlnumber = $dir/ca/$ca/db/$ca.crl.srl # CRL number file
+database = $dir/ca/$ca/db/$ca.db # Index file
+unique_subject = no # Require unique subject
+default_days = 3652 # How long to certify for
+default_md = sha1 # MD to use
+policy = match_pol # Default naming policy
+email_in_dn = no # Add email to cert DN
+preserve = no # Keep passed DN ordering
+name_opt = ca_default # Subject DN display options
+cert_opt = ca_default # Certificate display options
+copy_extensions = none # Copy extensions from CSR
+x509_extensions = signing_ca_ext # Default cert extensions
+default_crl_days = 365 # How long before next CRL
+crl_extensions = crl_ext # CRL extensions
[ signing_ca ]
certificate = $dir/ca/$ca.crt # The CA cert
@@ -83,6 +100,21 @@ emailAddress = optional
# Certificate extensions define what types of certificates the CA is able to
# create.
+[ root_ca_ext ]
+keyUsage = critical,keyCertSign,cRLSign
+basicConstraints = critical,CA:true
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
+
+[ signing_ca_ext ]
+keyUsage = critical,keyCertSign,cRLSign
+basicConstraints = critical,CA:true,pathlen:0
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
+
+# Certificate extensions define what types of certificates the CA is able to
+# create.
+
[ email_ext ]
keyUsage = critical,digitalSignature,keyEncipherment
basicConstraints = CA:false
diff --git a/etc/root-ca.conf b/etc/root-ca.conf
deleted file mode 100644
index 70df9cf..0000000
--- a/etc/root-ca.conf
+++ /dev/null
@@ -1,102 +0,0 @@
-# Simple Root CA
-
-# The [default] section contains global constants that can be referred to from
-# the entire configuration file. It may also hold settings pertaining to more
-# than one openssl command.
-
-[ default ]
-ca = root-ca # CA name
-dir = . # Top dir
-
-# The next part of the configuration file is used by the openssl req command.
-# It defines the CA's key pair, its DN, and the desired extensions for the CA
-# certificate.
-
-[ req ]
-default_bits = 4096 # RSA key size
-encrypt_key = no # Protect private key
-default_md = sha1 # MD to use
-utf8 = yes # Input is UTF-8
-string_mask = utf8only # Emit UTF-8 strings
-prompt = no # Don't prompt for DN
-distinguished_name = ca_dn # DN section
-req_extensions = ca_reqext # Desired extensions
-
-[ ca_dn ]
-0.domainComponent = "net"
-1.domainComponent = "eckner"
-organizationName = "Eckner Net"
-organizationalUnitName = "Eckner Net CA"
-commonName = "Eckner Net Root CA"
-
-[ ca_reqext ]
-keyUsage = critical,keyCertSign,cRLSign
-basicConstraints = critical,CA:true
-subjectKeyIdentifier = hash
-
-# The remainder of the configuration file is used by the openssl ca command.
-# The CA section defines the locations of CA assets, as well as the policies
-# applying to the CA.
-
-[ ca ]
-default_ca = root_ca # The default CA section
-
-[ root_ca ]
-certificate = $dir/ca/$ca.crt # The CA cert
-private_key = $dir/ca/$ca/private/$ca.key # CA private key
-new_certs_dir = $dir/ca/$ca # Certificate archive
-serial = $dir/ca/$ca/db/$ca.crt.srl # Serial number file
-crlnumber = $dir/ca/$ca/db/$ca.crl.srl # CRL number file
-database = $dir/ca/$ca/db/$ca.db # Index file
-unique_subject = no # Require unique subject
-default_days = 3652 # How long to certify for
-default_md = sha1 # MD to use
-policy = match_pol # Default naming policy
-email_in_dn = no # Add email to cert DN
-preserve = no # Keep passed DN ordering
-name_opt = ca_default # Subject DN display options
-cert_opt = ca_default # Certificate display options
-copy_extensions = none # Copy extensions from CSR
-x509_extensions = signing_ca_ext # Default cert extensions
-default_crl_days = 365 # How long before next CRL
-crl_extensions = crl_ext # CRL extensions
-
-# Naming policies control which parts of a DN end up in the certificate and
-# under what circumstances certification should be denied.
-
-[ match_pol ]
-domainComponent = match # Must match 'simple.org'
-organizationName = match # Must match 'Simple Inc'
-organizationalUnitName = optional # Included if present
-commonName = supplied # Must be present
-
-[ any_pol ]
-domainComponent = optional
-countryName = optional
-stateOrProvinceName = optional
-localityName = optional
-organizationName = optional
-organizationalUnitName = optional
-commonName = optional
-emailAddress = optional
-
-# Certificate extensions define what types of certificates the CA is able to
-# create.
-
-[ root_ca_ext ]
-keyUsage = critical,keyCertSign,cRLSign
-basicConstraints = critical,CA:true
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid:always
-
-[ signing_ca_ext ]
-keyUsage = critical,keyCertSign,cRLSign
-basicConstraints = critical,CA:true,pathlen:0
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid:always
-
-# CRL extensions exist solely to point to the CA certificate that has issued
-# the CRL.
-
-[ crl_ext ]
-authorityKeyIdentifier = keyid:always