From fd59cea0317d1771a2278376e4ccadfa2106eee6 Mon Sep 17 00:00:00 2001 From: Erich Eckner Date: Mon, 2 Sep 2019 11:02:46 +0200 Subject: auto-generate etc/ca.conf --- Makefile | 2 +- etc/ca.conf | 136 --------------------------------------------------------- etc/ca.conf.in | 136 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 137 insertions(+), 137 deletions(-) delete mode 100644 etc/ca.conf create mode 100644 etc/ca.conf.in diff --git a/Makefile b/Makefile index c5d6633..873c9c1 100644 --- a/Makefile +++ b/Makefile @@ -27,7 +27,7 @@ MANDIR = /usr/share/man VERSION = 0.0 -all: rotate-keys rotate-keys.service sign-ca sign-ca.service sign-request +all: rotate-keys rotate-keys.service sign-ca sign-ca.service sign-request etc/ca.conf %: %.in sed " \ diff --git a/etc/ca.conf b/etc/ca.conf deleted file mode 100644 index 34a7193..0000000 --- a/etc/ca.conf +++ /dev/null @@ -1,136 +0,0 @@ -# Simple Root & Signing CA - -# The [default] section contains global constants that can be referred to from -# the entire configuration file. It may also hold settings pertaining to more -# than one openssl command. - -[ default ] -ca = $ENV::CA -dir = . # Top dir - -# The next part of the configuration file is used by the openssl req command. -# It defines the CA's key pair, its DN, and the desired extensions for the CA -# certificate. - -[ req ] -default_bits = 4096 # RSA key size -encrypt_key = no # Protect private key -default_md = sha1 # MD to use -utf8 = yes # Input is UTF-8 -string_mask = utf8only # Emit UTF-8 strings -prompt = no # Don't prompt for DN -distinguished_name = ca_dn # DN section -req_extensions = ca_reqext # Desired extensions - -[ ca_dn ] -0.domainComponent = "net" -1.domainComponent = "eckner" -organizationName = "Eckner Net" -organizationalUnitName = "Eckner Net CA" -commonName = "Eckner Net Root CA" - -[ ca_reqext ] -keyUsage = critical,keyCertSign,cRLSign -basicConstraints = critical,CA:true -subjectKeyIdentifier = hash - -# The remainder of the configuration file is used by the openssl ca command. -# The CA section defines the locations of CA assets, as well as the policies -# applying to the CA. - -[ root_ca ] -certificate = $dir/ca/$ca.crt # The CA cert -private_key = $dir/ca/$ca/private/$ca.key # CA private key -new_certs_dir = $dir/ca/$ca # Certificate archive -serial = $dir/ca/$ca/db/$ca.crt.srl # Serial number file -crlnumber = $dir/ca/$ca/db/$ca.crl.srl # CRL number file -database = $dir/ca/$ca/db/$ca.db # Index file -unique_subject = no # Require unique subject -default_days = 365 # How long to certify for -default_md = sha1 # MD to use -policy = match_pol # Default naming policy -email_in_dn = no # Add email to cert DN -preserve = no # Keep passed DN ordering -name_opt = ca_default # Subject DN display options -cert_opt = ca_default # Certificate display options -copy_extensions = none # Copy extensions from CSR -x509_extensions = signing_ca_ext # Default cert extensions -default_crl_days = 30 # How long before next CRL -crl_extensions = crl_ext # CRL extensions - -[ signing_ca ] -certificate = $dir/ca/$ca.crt # The CA cert -private_key = $dir/ca/$ca/private/$ca.key # CA private key -new_certs_dir = $dir/ca/$ca # Certificate archive -serial = $dir/ca/$ca/db/$ca.crt.srl # Serial number file -crlnumber = $dir/ca/$ca/db/$ca.crl.srl # CRL number file -database = $dir/ca/$ca/db/$ca.db # Index file -unique_subject = no # Require unique subject -default_days = 30 # How long to certify for -default_md = sha1 # MD to use -policy = match_pol # Default naming policy -email_in_dn = no # Add email to cert DN -preserve = no # Keep passed DN ordering -name_opt = ca_default # Subject DN display options -cert_opt = ca_default # Certificate display options -copy_extensions = copy # Copy extensions from CSR -x509_extensions = email_ext # Default cert extensions -default_crl_days = 7 # How long before next CRL -crl_extensions = crl_ext # CRL extensions - -# Naming policies control which parts of a DN end up in the certificate and -# under what circumstances certification should be denied. - -[ match_pol ] -domainComponent = match # Must match 'simple.org' -organizationName = match # Must match 'Simple Inc' -organizationalUnitName = optional # Included if present -commonName = supplied # Must be present - -[ any_pol ] -domainComponent = optional -countryName = optional -stateOrProvinceName = optional -localityName = optional -organizationName = optional -organizationalUnitName = optional -commonName = optional -emailAddress = optional - -# Certificate extensions define what types of certificates the CA is able to -# create. - -[ root_ca_ext ] -keyUsage = critical,keyCertSign,cRLSign -basicConstraints = critical,CA:true -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always - -[ signing_ca_ext ] -keyUsage = critical,keyCertSign,cRLSign -basicConstraints = critical,CA:true,pathlen:0 -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always - -# Certificate extensions define what types of certificates the CA is able to -# create. - -[ email_ext ] -keyUsage = critical,digitalSignature,keyEncipherment -basicConstraints = CA:false -extendedKeyUsage = emailProtection,clientAuth -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always - -[ server_ext ] -keyUsage = critical,digitalSignature,keyEncipherment -basicConstraints = CA:false -extendedKeyUsage = serverAuth,clientAuth -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always - -# CRL extensions exist solely to point to the CA certificate that has issued -# the CRL. - -[ crl_ext ] -authorityKeyIdentifier = keyid:always diff --git a/etc/ca.conf.in b/etc/ca.conf.in new file mode 100644 index 0000000..78d211f --- /dev/null +++ b/etc/ca.conf.in @@ -0,0 +1,136 @@ +# Simple Root & Signing CA + +# The [default] section contains global constants that can be referred to from +# the entire configuration file. It may also hold settings pertaining to more +# than one openssl command. + +[ default ] +ca = $ENV::CA +dir = #ETCDIR#/simple-pki # Top dir + +# The next part of the configuration file is used by the openssl req command. +# It defines the CA's key pair, its DN, and the desired extensions for the CA +# certificate. + +[ req ] +default_bits = 4096 # RSA key size +encrypt_key = no # Protect private key +default_md = sha1 # MD to use +utf8 = yes # Input is UTF-8 +string_mask = utf8only # Emit UTF-8 strings +prompt = no # Don't prompt for DN +distinguished_name = ca_dn # DN section +req_extensions = ca_reqext # Desired extensions + +[ ca_dn ] +0.domainComponent = "net" +1.domainComponent = "eckner" +organizationName = "Eckner Net" +organizationalUnitName = "Eckner Net CA" +commonName = "Eckner Net Root CA" + +[ ca_reqext ] +keyUsage = critical,keyCertSign,cRLSign +basicConstraints = critical,CA:true +subjectKeyIdentifier = hash + +# The remainder of the configuration file is used by the openssl ca command. +# The CA section defines the locations of CA assets, as well as the policies +# applying to the CA. + +[ root_ca ] +certificate = $dir/ca/$ca.crt # The CA cert +private_key = $dir/ca/$ca/private/$ca.key # CA private key +new_certs_dir = $dir/ca/$ca # Certificate archive +serial = $dir/ca/$ca/db/$ca.crt.srl # Serial number file +crlnumber = $dir/ca/$ca/db/$ca.crl.srl # CRL number file +database = $dir/ca/$ca/db/$ca.db # Index file +unique_subject = no # Require unique subject +default_days = 365 # How long to certify for +default_md = sha1 # MD to use +policy = match_pol # Default naming policy +email_in_dn = no # Add email to cert DN +preserve = no # Keep passed DN ordering +name_opt = ca_default # Subject DN display options +cert_opt = ca_default # Certificate display options +copy_extensions = none # Copy extensions from CSR +x509_extensions = signing_ca_ext # Default cert extensions +default_crl_days = 30 # How long before next CRL +crl_extensions = crl_ext # CRL extensions + +[ signing_ca ] +certificate = $dir/ca/$ca.crt # The CA cert +private_key = $dir/ca/$ca/private/$ca.key # CA private key +new_certs_dir = $dir/ca/$ca # Certificate archive +serial = $dir/ca/$ca/db/$ca.crt.srl # Serial number file +crlnumber = $dir/ca/$ca/db/$ca.crl.srl # CRL number file +database = $dir/ca/$ca/db/$ca.db # Index file +unique_subject = no # Require unique subject +default_days = 30 # How long to certify for +default_md = sha1 # MD to use +policy = match_pol # Default naming policy +email_in_dn = no # Add email to cert DN +preserve = no # Keep passed DN ordering +name_opt = ca_default # Subject DN display options +cert_opt = ca_default # Certificate display options +copy_extensions = copy # Copy extensions from CSR +x509_extensions = email_ext # Default cert extensions +default_crl_days = 7 # How long before next CRL +crl_extensions = crl_ext # CRL extensions + +# Naming policies control which parts of a DN end up in the certificate and +# under what circumstances certification should be denied. + +[ match_pol ] +domainComponent = match # Must match 'simple.org' +organizationName = match # Must match 'Simple Inc' +organizationalUnitName = optional # Included if present +commonName = supplied # Must be present + +[ any_pol ] +domainComponent = optional +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = optional +emailAddress = optional + +# Certificate extensions define what types of certificates the CA is able to +# create. + +[ root_ca_ext ] +keyUsage = critical,keyCertSign,cRLSign +basicConstraints = critical,CA:true +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always + +[ signing_ca_ext ] +keyUsage = critical,keyCertSign,cRLSign +basicConstraints = critical,CA:true,pathlen:0 +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always + +# Certificate extensions define what types of certificates the CA is able to +# create. + +[ email_ext ] +keyUsage = critical,digitalSignature,keyEncipherment +basicConstraints = CA:false +extendedKeyUsage = emailProtection,clientAuth +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always + +[ server_ext ] +keyUsage = critical,digitalSignature,keyEncipherment +basicConstraints = CA:false +extendedKeyUsage = serverAuth,clientAuth +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always + +# CRL extensions exist solely to point to the CA certificate that has issued +# the CRL. + +[ crl_ext ] +authorityKeyIdentifier = keyid:always -- cgit v1.2.3-70-g09d2