diff options
Diffstat (limited to 'etc')
-rw-r--r-- | etc/email-client.conf | 31 | ||||
-rw-r--r-- | etc/root-ca.conf | 102 | ||||
-rw-r--r-- | etc/signing-ca.conf | 111 | ||||
-rw-r--r-- | etc/tls-server.conf | 32 |
4 files changed, 276 insertions, 0 deletions
diff --git a/etc/email-client.conf b/etc/email-client.conf new file mode 100644 index 0000000..04fdaef --- /dev/null +++ b/etc/email-client.conf @@ -0,0 +1,31 @@ +# Email client certificate request + +# This file is used by the openssl req command. Since we cannot know the DN in +# advance the user is prompted for DN information. + +[ req ] +default_bits = 2048 # RSA key size +encrypt_key = yes # Protect private key +default_md = sha1 # MD to use +utf8 = yes # Input is UTF-8 +string_mask = utf8only # Emit UTF-8 strings +prompt = yes # Prompt for DN +distinguished_name = email_dn # DN template +req_extensions = email_reqext # Desired extensions + +[ email_dn ] +0.domainComponent = "1. Domain Component (eg, com) " +1.domainComponent = "2. Domain Component (eg, company) " +2.domainComponent = "3. Domain Component (eg, pki) " +organizationName = "4. Organization Name (eg, company) " +organizationalUnitName = "5. Organizational Unit Name (eg, section) " +commonName = "6. Common Name (eg, full name)" +commonName_max = 64 +emailAddress = "7. Email Address (eg, name@fqdn)" +emailAddress_max = 40 + +[ email_reqext ] +keyUsage = critical,digitalSignature,keyEncipherment +extendedKeyUsage = emailProtection,clientAuth +subjectKeyIdentifier = hash +subjectAltName = email:copy diff --git a/etc/root-ca.conf b/etc/root-ca.conf new file mode 100644 index 0000000..9a8a831 --- /dev/null +++ b/etc/root-ca.conf @@ -0,0 +1,102 @@ +# Simple Root CA + +# The [default] section contains global constants that can be referred to from +# the entire configuration file. It may also hold settings pertaining to more +# than one openssl command. + +[ default ] +ca = root-ca # CA name +dir = . # Top dir + +# The first part of the configuration file is used by the openssl req command. +# It defines the CA's key pair, its DN, and the desired extensions for the CA +# certificate. + +[ req ] +default_bits = 2048 # RSA key size +encrypt_key = yes # Protect private key +default_md = sha1 # MD to use +utf8 = yes # Input is UTF-8 +string_mask = utf8only # Emit UTF-8 strings +prompt = no # Don't prompt for DN +distinguished_name = ca_dn # DN section +req_extensions = ca_reqext # Desired extensions + +[ ca_dn ] +0.domainComponent = "org" +1.domainComponent = "simple" +organizationName = "Simple Inc" +organizationalUnitName = "Simple CA" +commonName = "Simple Root CA" + +[ ca_reqext ] +keyUsage = critical,keyCertSign,cRLSign +basicConstraints = critical,CA:true +subjectKeyIdentifier = hash + +# The remainder of the configuration file is used by the openssl ca command. +# The CA section defines the locations of CA assets, as well as the policies +# applying to the CA. + +[ ca ] +default_ca = root_ca # The default CA section + +[ root_ca ] +certificate = $dir/ca/$ca.crt # The CA cert +private_key = $dir/ca/$ca/private/$ca.key # CA private key +new_certs_dir = $dir/ca/$ca # Certificate archive +serial = $dir/ca/$ca/db/$ca.crt.srl # Serial number file +crlnumber = $dir/ca/$ca/db/$ca.crl.srl # CRL number file +database = $dir/ca/$ca/db/$ca.db # Index file +unique_subject = no # Require unique subject +default_days = 3652 # How long to certify for +default_md = sha1 # MD to use +policy = match_pol # Default naming policy +email_in_dn = no # Add email to cert DN +preserve = no # Keep passed DN ordering +name_opt = ca_default # Subject DN display options +cert_opt = ca_default # Certificate display options +copy_extensions = copy # Copy extensions from CSR +x509_extensions = leafca_ext # Default cert extensions +default_crl_days = 365 # How long before next CRL +crl_extensions = crl_ext # CRL extensions + +# Naming policies control which parts of a DN end up in the certificate and +# under what circumstances certification should be denied. + +[ match_pol ] +domainComponent = match # Must match 'simple.org' +organizationName = match # Must match 'Simple Inc' +organizationalUnitName = optional # Included if present +commonName = supplied # Must be present + +[ any_pol ] +domainComponent = optional +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = optional +emailAddress = optional + +# Certificate extensions define what types of certificates the CA is able to +# create. + +[ rootca_ext ] +keyUsage = critical,keyCertSign,cRLSign +basicConstraints = critical,CA:true +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always + +[ leafca_ext ] +keyUsage = critical,keyCertSign,cRLSign +basicConstraints = critical,CA:true,pathlen:0 +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always + +# CRL extensions exist solely to point to the CA certificate that has issued +# the CRL. + +[ crl_ext ] +authorityKeyIdentifier = keyid:always diff --git a/etc/signing-ca.conf b/etc/signing-ca.conf new file mode 100644 index 0000000..1fa2d29 --- /dev/null +++ b/etc/signing-ca.conf @@ -0,0 +1,111 @@ +# Simple Signing CA + +# The [default] section contains global constants that can be referred to from +# the entire configuration file. It may also hold settings pertaining to more +# than one openssl command. + +[ default ] +ca = signing-ca # CA name +dir = . # Top dir + +# The first part of the configuration file is used by the openssl req command. +# It defines the CA's key pair, its DN, and the desired extensions for the CA +# certificate. + +[ req ] +default_bits = 2048 # RSA key size +encrypt_key = yes # Protect private key +default_md = sha1 # MD to use +utf8 = yes # Input is UTF-8 +string_mask = utf8only # Emit UTF-8 strings +prompt = no # Don't prompt for DN +distinguished_name = ca_dn # DN section +req_extensions = ca_reqext # Desired extensions + +[ ca_dn ] +0.domainComponent = "org" +1.domainComponent = "simple" +organizationName = "Simple Inc" +organizationalUnitName = "Simple CA" +commonName = "Simple Signing CA" + +[ ca_reqext ] +keyUsage = critical,keyCertSign,cRLSign +basicConstraints = critical,CA:true,pathlen:0 +subjectKeyIdentifier = hash + +# The remainder of the configuration file is used by the openssl ca command. +# The CA section defines the locations of CA assets, as well as the policies +# applying to the CA. + +[ ca ] +default_ca = signing_ca # The default CA section + +[ signing_ca ] +certificate = $dir/ca/$ca.crt # The CA cert +private_key = $dir/ca/$ca/private/$ca.key # CA private key +new_certs_dir = $dir/ca/$ca # Certificate archive +serial = $dir/ca/$ca/db/$ca.crt.srl # Serial number file +crlnumber = $dir/ca/$ca/db/$ca.crl.srl # CRL number file +database = $dir/ca/$ca/db/$ca.db # Index file +unique_subject = no # Require unique subject +default_days = 730 # How long to certify for +default_md = sha1 # MD to use +policy = match_pol # Default naming policy +email_in_dn = no # Add email to cert DN +preserve = no # Keep passed DN ordering +name_opt = ca_default # Subject DN display options +cert_opt = ca_default # Certificate display options +copy_extensions = copy # Copy extensions from CSR +x509_extensions = email_ext # Default cert extensions +default_crl_days = 7 # How long before next CRL +crl_extensions = crl_ext # CRL extensions + +# Naming policies control which parts of a DN end up in the certificate and +# under what circumstances certification should be denied. + +[ match_pol ] +domainComponent = match # Must match 'simple.org' +organizationName = match # Must match 'Simple Inc' +organizationalUnitName = optional # Included if present +commonName = supplied # Must be present + +[ any_pol ] +domainComponent = optional +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = optional +emailAddress = optional + +# Certificate extensions define what types of certificates the CA is able to +# create. + +[ email_ext ] +keyUsage = critical,digitalSignature,keyEncipherment +basicConstraints = CA:false +extendedKeyUsage = emailProtection,clientAuth +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always + +[ server_ext ] +keyUsage = critical,digitalSignature,keyEncipherment +basicConstraints = CA:false +extendedKeyUsage = serverAuth,clientAuth +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always + +[ client_ext ] +keyUsage = critical,digitalSignature +basicConstraints = CA:false +extendedKeyUsage = clientAuth +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always + +# CRL extensions exist solely to point to the CA certificate that has issued +# the CRL. + +[ crl_ext ] +authorityKeyIdentifier = keyid:always diff --git a/etc/tls-server.conf b/etc/tls-server.conf new file mode 100644 index 0000000..9fa9563 --- /dev/null +++ b/etc/tls-server.conf @@ -0,0 +1,32 @@ +# TLS server certificate request + +# This file is used by the openssl req command. The subjectAltName cannot be +# prompted for and must be specified in the SAN environment variable. + +[ default ] +SAN = DNS:yourdomain.tld # Default value + +[ req ] +default_bits = 2048 # RSA key size +encrypt_key = yes # Protect private key +default_md = sha1 # MD to use +utf8 = yes # Input is UTF-8 +string_mask = utf8only # Emit UTF-8 strings +prompt = yes # Prompt for DN +distinguished_name = server_dn # DN template +req_extensions = server_reqext # Desired extensions + +[ server_dn ] +0.domainComponent = "1. Domain Component (eg, com) " +1.domainComponent = "2. Domain Component (eg, company) " +2.domainComponent = "3. Domain Component (eg, pki) " +organizationName = "4. Organization Name (eg, company) " +organizationalUnitName = "5. Organizational Unit Name (eg, section) " +commonName = "6. Common Name (eg, FQDN) " +commonName_max = 64 + +[ server_reqext ] +keyUsage = critical,digitalSignature,keyEncipherment +extendedKeyUsage = serverAuth,clientAuth +subjectKeyIdentifier = hash +subjectAltName = $ENV::SAN # No way to prompt for this |