diff options
Diffstat (limited to 'etc/ca.conf')
-rw-r--r-- | etc/ca.conf | 136 |
1 files changed, 136 insertions, 0 deletions
diff --git a/etc/ca.conf b/etc/ca.conf new file mode 100644 index 0000000..0b768e0 --- /dev/null +++ b/etc/ca.conf @@ -0,0 +1,136 @@ +# Simple Root & Signing CA + +# The [default] section contains global constants that can be referred to from +# the entire configuration file. It may also hold settings pertaining to more +# than one openssl command. + +[ default ] +ca = $ENV::CA +dir = . # Top dir + +# The next part of the configuration file is used by the openssl req command. +# It defines the CA's key pair, its DN, and the desired extensions for the CA +# certificate. + +[ req ] +default_bits = 4096 # RSA key size +encrypt_key = no # Protect private key +default_md = sha1 # MD to use +utf8 = yes # Input is UTF-8 +string_mask = utf8only # Emit UTF-8 strings +prompt = no # Don't prompt for DN +distinguished_name = ca_dn # DN section +req_extensions = ca_reqext # Desired extensions + +[ ca_dn ] +0.domainComponent = "net" +1.domainComponent = "eckner" +organizationName = "Eckner Net" +organizationalUnitName = "Eckner Net CA" +commonName = "Eckner Net Root CA" + +[ ca_reqext ] +keyUsage = critical,keyCertSign,cRLSign +basicConstraints = critical,CA:true +subjectKeyIdentifier = hash + +# The remainder of the configuration file is used by the openssl ca command. +# The CA section defines the locations of CA assets, as well as the policies +# applying to the CA. + +[ root_ca ] +certificate = $dir/ca/$ca.crt # The CA cert +private_key = $dir/ca/$ca/private/$ca.key # CA private key +new_certs_dir = $dir/ca/$ca # Certificate archive +serial = $dir/ca/$ca/db/$ca.crt.srl # Serial number file +crlnumber = $dir/ca/$ca/db/$ca.crl.srl # CRL number file +database = $dir/ca/$ca/db/$ca.db # Index file +unique_subject = no # Require unique subject +default_days = 3652 # How long to certify for +default_md = sha1 # MD to use +policy = match_pol # Default naming policy +email_in_dn = no # Add email to cert DN +preserve = no # Keep passed DN ordering +name_opt = ca_default # Subject DN display options +cert_opt = ca_default # Certificate display options +copy_extensions = none # Copy extensions from CSR +x509_extensions = signing_ca_ext # Default cert extensions +default_crl_days = 365 # How long before next CRL +crl_extensions = crl_ext # CRL extensions + +[ signing_ca ] +certificate = $dir/ca/$ca.crt # The CA cert +private_key = $dir/ca/$ca/private/$ca.key # CA private key +new_certs_dir = $dir/ca/$ca # Certificate archive +serial = $dir/ca/$ca/db/$ca.crt.srl # Serial number file +crlnumber = $dir/ca/$ca/db/$ca.crl.srl # CRL number file +database = $dir/ca/$ca/db/$ca.db # Index file +unique_subject = no # Require unique subject +default_days = 730 # How long to certify for +default_md = sha1 # MD to use +policy = match_pol # Default naming policy +email_in_dn = no # Add email to cert DN +preserve = no # Keep passed DN ordering +name_opt = ca_default # Subject DN display options +cert_opt = ca_default # Certificate display options +copy_extensions = copy # Copy extensions from CSR +x509_extensions = email_ext # Default cert extensions +default_crl_days = 7 # How long before next CRL +crl_extensions = crl_ext # CRL extensions + +# Naming policies control which parts of a DN end up in the certificate and +# under what circumstances certification should be denied. + +[ match_pol ] +domainComponent = match # Must match 'simple.org' +organizationName = match # Must match 'Simple Inc' +organizationalUnitName = optional # Included if present +commonName = supplied # Must be present + +[ any_pol ] +domainComponent = optional +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = optional +emailAddress = optional + +# Certificate extensions define what types of certificates the CA is able to +# create. + +[ root_ca_ext ] +keyUsage = critical,keyCertSign,cRLSign +basicConstraints = critical,CA:true +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always + +[ signing_ca_ext ] +keyUsage = critical,keyCertSign,cRLSign +basicConstraints = critical,CA:true,pathlen:0 +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always + +# Certificate extensions define what types of certificates the CA is able to +# create. + +[ email_ext ] +keyUsage = critical,digitalSignature,keyEncipherment +basicConstraints = CA:false +extendedKeyUsage = emailProtection,clientAuth +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always + +[ server_ext ] +keyUsage = critical,digitalSignature,keyEncipherment +basicConstraints = CA:false +extendedKeyUsage = serverAuth,clientAuth +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always + +# CRL extensions exist solely to point to the CA certificate that has issued +# the CRL. + +[ crl_ext ] +authorityKeyIdentifier = keyid:always |