summaryrefslogtreecommitdiff
path: root/etc
diff options
context:
space:
mode:
Diffstat (limited to 'etc')
-rw-r--r--etc/email-client.conf31
-rw-r--r--etc/root-ca.conf102
-rw-r--r--etc/signing-ca.conf111
-rw-r--r--etc/tls-server.conf32
4 files changed, 276 insertions, 0 deletions
diff --git a/etc/email-client.conf b/etc/email-client.conf
new file mode 100644
index 0000000..04fdaef
--- /dev/null
+++ b/etc/email-client.conf
@@ -0,0 +1,31 @@
+# Email client certificate request
+
+# This file is used by the openssl req command. Since we cannot know the DN in
+# advance the user is prompted for DN information.
+
+[ req ]
+default_bits = 2048 # RSA key size
+encrypt_key = yes # Protect private key
+default_md = sha1 # MD to use
+utf8 = yes # Input is UTF-8
+string_mask = utf8only # Emit UTF-8 strings
+prompt = yes # Prompt for DN
+distinguished_name = email_dn # DN template
+req_extensions = email_reqext # Desired extensions
+
+[ email_dn ]
+0.domainComponent = "1. Domain Component (eg, com) "
+1.domainComponent = "2. Domain Component (eg, company) "
+2.domainComponent = "3. Domain Component (eg, pki) "
+organizationName = "4. Organization Name (eg, company) "
+organizationalUnitName = "5. Organizational Unit Name (eg, section) "
+commonName = "6. Common Name (eg, full name)"
+commonName_max = 64
+emailAddress = "7. Email Address (eg, name@fqdn)"
+emailAddress_max = 40
+
+[ email_reqext ]
+keyUsage = critical,digitalSignature,keyEncipherment
+extendedKeyUsage = emailProtection,clientAuth
+subjectKeyIdentifier = hash
+subjectAltName = email:copy
diff --git a/etc/root-ca.conf b/etc/root-ca.conf
new file mode 100644
index 0000000..9a8a831
--- /dev/null
+++ b/etc/root-ca.conf
@@ -0,0 +1,102 @@
+# Simple Root CA
+
+# The [default] section contains global constants that can be referred to from
+# the entire configuration file. It may also hold settings pertaining to more
+# than one openssl command.
+
+[ default ]
+ca = root-ca # CA name
+dir = . # Top dir
+
+# The first part of the configuration file is used by the openssl req command.
+# It defines the CA's key pair, its DN, and the desired extensions for the CA
+# certificate.
+
+[ req ]
+default_bits = 2048 # RSA key size
+encrypt_key = yes # Protect private key
+default_md = sha1 # MD to use
+utf8 = yes # Input is UTF-8
+string_mask = utf8only # Emit UTF-8 strings
+prompt = no # Don't prompt for DN
+distinguished_name = ca_dn # DN section
+req_extensions = ca_reqext # Desired extensions
+
+[ ca_dn ]
+0.domainComponent = "org"
+1.domainComponent = "simple"
+organizationName = "Simple Inc"
+organizationalUnitName = "Simple CA"
+commonName = "Simple Root CA"
+
+[ ca_reqext ]
+keyUsage = critical,keyCertSign,cRLSign
+basicConstraints = critical,CA:true
+subjectKeyIdentifier = hash
+
+# The remainder of the configuration file is used by the openssl ca command.
+# The CA section defines the locations of CA assets, as well as the policies
+# applying to the CA.
+
+[ ca ]
+default_ca = root_ca # The default CA section
+
+[ root_ca ]
+certificate = $dir/ca/$ca.crt # The CA cert
+private_key = $dir/ca/$ca/private/$ca.key # CA private key
+new_certs_dir = $dir/ca/$ca # Certificate archive
+serial = $dir/ca/$ca/db/$ca.crt.srl # Serial number file
+crlnumber = $dir/ca/$ca/db/$ca.crl.srl # CRL number file
+database = $dir/ca/$ca/db/$ca.db # Index file
+unique_subject = no # Require unique subject
+default_days = 3652 # How long to certify for
+default_md = sha1 # MD to use
+policy = match_pol # Default naming policy
+email_in_dn = no # Add email to cert DN
+preserve = no # Keep passed DN ordering
+name_opt = ca_default # Subject DN display options
+cert_opt = ca_default # Certificate display options
+copy_extensions = copy # Copy extensions from CSR
+x509_extensions = leafca_ext # Default cert extensions
+default_crl_days = 365 # How long before next CRL
+crl_extensions = crl_ext # CRL extensions
+
+# Naming policies control which parts of a DN end up in the certificate and
+# under what circumstances certification should be denied.
+
+[ match_pol ]
+domainComponent = match # Must match 'simple.org'
+organizationName = match # Must match 'Simple Inc'
+organizationalUnitName = optional # Included if present
+commonName = supplied # Must be present
+
+[ any_pol ]
+domainComponent = optional
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = optional
+emailAddress = optional
+
+# Certificate extensions define what types of certificates the CA is able to
+# create.
+
+[ rootca_ext ]
+keyUsage = critical,keyCertSign,cRLSign
+basicConstraints = critical,CA:true
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
+
+[ leafca_ext ]
+keyUsage = critical,keyCertSign,cRLSign
+basicConstraints = critical,CA:true,pathlen:0
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
+
+# CRL extensions exist solely to point to the CA certificate that has issued
+# the CRL.
+
+[ crl_ext ]
+authorityKeyIdentifier = keyid:always
diff --git a/etc/signing-ca.conf b/etc/signing-ca.conf
new file mode 100644
index 0000000..1fa2d29
--- /dev/null
+++ b/etc/signing-ca.conf
@@ -0,0 +1,111 @@
+# Simple Signing CA
+
+# The [default] section contains global constants that can be referred to from
+# the entire configuration file. It may also hold settings pertaining to more
+# than one openssl command.
+
+[ default ]
+ca = signing-ca # CA name
+dir = . # Top dir
+
+# The first part of the configuration file is used by the openssl req command.
+# It defines the CA's key pair, its DN, and the desired extensions for the CA
+# certificate.
+
+[ req ]
+default_bits = 2048 # RSA key size
+encrypt_key = yes # Protect private key
+default_md = sha1 # MD to use
+utf8 = yes # Input is UTF-8
+string_mask = utf8only # Emit UTF-8 strings
+prompt = no # Don't prompt for DN
+distinguished_name = ca_dn # DN section
+req_extensions = ca_reqext # Desired extensions
+
+[ ca_dn ]
+0.domainComponent = "org"
+1.domainComponent = "simple"
+organizationName = "Simple Inc"
+organizationalUnitName = "Simple CA"
+commonName = "Simple Signing CA"
+
+[ ca_reqext ]
+keyUsage = critical,keyCertSign,cRLSign
+basicConstraints = critical,CA:true,pathlen:0
+subjectKeyIdentifier = hash
+
+# The remainder of the configuration file is used by the openssl ca command.
+# The CA section defines the locations of CA assets, as well as the policies
+# applying to the CA.
+
+[ ca ]
+default_ca = signing_ca # The default CA section
+
+[ signing_ca ]
+certificate = $dir/ca/$ca.crt # The CA cert
+private_key = $dir/ca/$ca/private/$ca.key # CA private key
+new_certs_dir = $dir/ca/$ca # Certificate archive
+serial = $dir/ca/$ca/db/$ca.crt.srl # Serial number file
+crlnumber = $dir/ca/$ca/db/$ca.crl.srl # CRL number file
+database = $dir/ca/$ca/db/$ca.db # Index file
+unique_subject = no # Require unique subject
+default_days = 730 # How long to certify for
+default_md = sha1 # MD to use
+policy = match_pol # Default naming policy
+email_in_dn = no # Add email to cert DN
+preserve = no # Keep passed DN ordering
+name_opt = ca_default # Subject DN display options
+cert_opt = ca_default # Certificate display options
+copy_extensions = copy # Copy extensions from CSR
+x509_extensions = email_ext # Default cert extensions
+default_crl_days = 7 # How long before next CRL
+crl_extensions = crl_ext # CRL extensions
+
+# Naming policies control which parts of a DN end up in the certificate and
+# under what circumstances certification should be denied.
+
+[ match_pol ]
+domainComponent = match # Must match 'simple.org'
+organizationName = match # Must match 'Simple Inc'
+organizationalUnitName = optional # Included if present
+commonName = supplied # Must be present
+
+[ any_pol ]
+domainComponent = optional
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = optional
+emailAddress = optional
+
+# Certificate extensions define what types of certificates the CA is able to
+# create.
+
+[ email_ext ]
+keyUsage = critical,digitalSignature,keyEncipherment
+basicConstraints = CA:false
+extendedKeyUsage = emailProtection,clientAuth
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
+
+[ server_ext ]
+keyUsage = critical,digitalSignature,keyEncipherment
+basicConstraints = CA:false
+extendedKeyUsage = serverAuth,clientAuth
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
+
+[ client_ext ]
+keyUsage = critical,digitalSignature
+basicConstraints = CA:false
+extendedKeyUsage = clientAuth
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
+
+# CRL extensions exist solely to point to the CA certificate that has issued
+# the CRL.
+
+[ crl_ext ]
+authorityKeyIdentifier = keyid:always
diff --git a/etc/tls-server.conf b/etc/tls-server.conf
new file mode 100644
index 0000000..9fa9563
--- /dev/null
+++ b/etc/tls-server.conf
@@ -0,0 +1,32 @@
+# TLS server certificate request
+
+# This file is used by the openssl req command. The subjectAltName cannot be
+# prompted for and must be specified in the SAN environment variable.
+
+[ default ]
+SAN = DNS:yourdomain.tld # Default value
+
+[ req ]
+default_bits = 2048 # RSA key size
+encrypt_key = yes # Protect private key
+default_md = sha1 # MD to use
+utf8 = yes # Input is UTF-8
+string_mask = utf8only # Emit UTF-8 strings
+prompt = yes # Prompt for DN
+distinguished_name = server_dn # DN template
+req_extensions = server_reqext # Desired extensions
+
+[ server_dn ]
+0.domainComponent = "1. Domain Component (eg, com) "
+1.domainComponent = "2. Domain Component (eg, company) "
+2.domainComponent = "3. Domain Component (eg, pki) "
+organizationName = "4. Organization Name (eg, company) "
+organizationalUnitName = "5. Organizational Unit Name (eg, section) "
+commonName = "6. Common Name (eg, FQDN) "
+commonName_max = 64
+
+[ server_reqext ]
+keyUsage = critical,digitalSignature,keyEncipherment
+extendedKeyUsage = serverAuth,clientAuth
+subjectKeyIdentifier = hash
+subjectAltName = $ENV::SAN # No way to prompt for this