diff options
Diffstat (limited to 'etc')
-rw-r--r-- | etc/ca.conf (renamed from etc/signing-ca.conf) | 44 | ||||
-rw-r--r-- | etc/root-ca.conf | 102 |
2 files changed, 38 insertions, 108 deletions
diff --git a/etc/signing-ca.conf b/etc/ca.conf index ebba5d0..0b768e0 100644 --- a/etc/signing-ca.conf +++ b/etc/ca.conf @@ -1,11 +1,11 @@ -# Simple Signing CA +# Simple Root & Signing CA # The [default] section contains global constants that can be referred to from # the entire configuration file. It may also hold settings pertaining to more # than one openssl command. [ default ] -ca = signing-ca # CA name +ca = $ENV::CA dir = . # Top dir # The next part of the configuration file is used by the openssl req command. @@ -27,19 +27,36 @@ req_extensions = ca_reqext # Desired extensions 1.domainComponent = "eckner" organizationName = "Eckner Net" organizationalUnitName = "Eckner Net CA" -commonName = "Eckner Net Signing CA" +commonName = "Eckner Net Root CA" [ ca_reqext ] keyUsage = critical,keyCertSign,cRLSign -basicConstraints = critical,CA:true,pathlen:0 +basicConstraints = critical,CA:true subjectKeyIdentifier = hash # The remainder of the configuration file is used by the openssl ca command. # The CA section defines the locations of CA assets, as well as the policies # applying to the CA. -[ ca ] -default_ca = signing_ca # The default CA section +[ root_ca ] +certificate = $dir/ca/$ca.crt # The CA cert +private_key = $dir/ca/$ca/private/$ca.key # CA private key +new_certs_dir = $dir/ca/$ca # Certificate archive +serial = $dir/ca/$ca/db/$ca.crt.srl # Serial number file +crlnumber = $dir/ca/$ca/db/$ca.crl.srl # CRL number file +database = $dir/ca/$ca/db/$ca.db # Index file +unique_subject = no # Require unique subject +default_days = 3652 # How long to certify for +default_md = sha1 # MD to use +policy = match_pol # Default naming policy +email_in_dn = no # Add email to cert DN +preserve = no # Keep passed DN ordering +name_opt = ca_default # Subject DN display options +cert_opt = ca_default # Certificate display options +copy_extensions = none # Copy extensions from CSR +x509_extensions = signing_ca_ext # Default cert extensions +default_crl_days = 365 # How long before next CRL +crl_extensions = crl_ext # CRL extensions [ signing_ca ] certificate = $dir/ca/$ca.crt # The CA cert @@ -83,6 +100,21 @@ emailAddress = optional # Certificate extensions define what types of certificates the CA is able to # create. +[ root_ca_ext ] +keyUsage = critical,keyCertSign,cRLSign +basicConstraints = critical,CA:true +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always + +[ signing_ca_ext ] +keyUsage = critical,keyCertSign,cRLSign +basicConstraints = critical,CA:true,pathlen:0 +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always + +# Certificate extensions define what types of certificates the CA is able to +# create. + [ email_ext ] keyUsage = critical,digitalSignature,keyEncipherment basicConstraints = CA:false diff --git a/etc/root-ca.conf b/etc/root-ca.conf deleted file mode 100644 index 70df9cf..0000000 --- a/etc/root-ca.conf +++ /dev/null @@ -1,102 +0,0 @@ -# Simple Root CA - -# The [default] section contains global constants that can be referred to from -# the entire configuration file. It may also hold settings pertaining to more -# than one openssl command. - -[ default ] -ca = root-ca # CA name -dir = . # Top dir - -# The next part of the configuration file is used by the openssl req command. -# It defines the CA's key pair, its DN, and the desired extensions for the CA -# certificate. - -[ req ] -default_bits = 4096 # RSA key size -encrypt_key = no # Protect private key -default_md = sha1 # MD to use -utf8 = yes # Input is UTF-8 -string_mask = utf8only # Emit UTF-8 strings -prompt = no # Don't prompt for DN -distinguished_name = ca_dn # DN section -req_extensions = ca_reqext # Desired extensions - -[ ca_dn ] -0.domainComponent = "net" -1.domainComponent = "eckner" -organizationName = "Eckner Net" -organizationalUnitName = "Eckner Net CA" -commonName = "Eckner Net Root CA" - -[ ca_reqext ] -keyUsage = critical,keyCertSign,cRLSign -basicConstraints = critical,CA:true -subjectKeyIdentifier = hash - -# The remainder of the configuration file is used by the openssl ca command. -# The CA section defines the locations of CA assets, as well as the policies -# applying to the CA. - -[ ca ] -default_ca = root_ca # The default CA section - -[ root_ca ] -certificate = $dir/ca/$ca.crt # The CA cert -private_key = $dir/ca/$ca/private/$ca.key # CA private key -new_certs_dir = $dir/ca/$ca # Certificate archive -serial = $dir/ca/$ca/db/$ca.crt.srl # Serial number file -crlnumber = $dir/ca/$ca/db/$ca.crl.srl # CRL number file -database = $dir/ca/$ca/db/$ca.db # Index file -unique_subject = no # Require unique subject -default_days = 3652 # How long to certify for -default_md = sha1 # MD to use -policy = match_pol # Default naming policy -email_in_dn = no # Add email to cert DN -preserve = no # Keep passed DN ordering -name_opt = ca_default # Subject DN display options -cert_opt = ca_default # Certificate display options -copy_extensions = none # Copy extensions from CSR -x509_extensions = signing_ca_ext # Default cert extensions -default_crl_days = 365 # How long before next CRL -crl_extensions = crl_ext # CRL extensions - -# Naming policies control which parts of a DN end up in the certificate and -# under what circumstances certification should be denied. - -[ match_pol ] -domainComponent = match # Must match 'simple.org' -organizationName = match # Must match 'Simple Inc' -organizationalUnitName = optional # Included if present -commonName = supplied # Must be present - -[ any_pol ] -domainComponent = optional -countryName = optional -stateOrProvinceName = optional -localityName = optional -organizationName = optional -organizationalUnitName = optional -commonName = optional -emailAddress = optional - -# Certificate extensions define what types of certificates the CA is able to -# create. - -[ root_ca_ext ] -keyUsage = critical,keyCertSign,cRLSign -basicConstraints = critical,CA:true -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always - -[ signing_ca_ext ] -keyUsage = critical,keyCertSign,cRLSign -basicConstraints = critical,CA:true,pathlen:0 -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always - -# CRL extensions exist solely to point to the CA certificate that has issued -# the CRL. - -[ crl_ext ] -authorityKeyIdentifier = keyid:always |