Commit | Line | Data |
---|---|---|
b294f6b5 MW |
1 | ### -*-conf-*- |
2 | ### | |
3 | ### OpenSSL configuration for distorted.org.uk CA. | |
4 | ||
5 | ###-------------------------------------------------------------------------- | |
6 | ### Defaults. | |
7 | ||
8 | RANDFILE = /dev/urandom | |
9 | ||
10 | ###-------------------------------------------------------------------------- | |
11 | ### Certificate request configuration. | |
12 | ||
13 | [req] | |
14 | default_bits = 3072 | |
15 | encrypt_key = no | |
16 | default_md = sha1 | |
17 | utf8 = yes | |
18 | x509_extensions = ca-extensions | |
19 | distinguished_name = req-dn | |
20 | prompt = yes | |
21 | ||
22 | [req-dn] | |
23 | ||
24 | countryName = "Country name" | |
25 | countryName_default = "GB" | |
26 | countryName_min = 2 | |
27 | countryName_max = 2 | |
28 | ||
29 | stateOrProvinceName = "State, province, or county" | |
30 | stateOrProvinceName_default = "Cambridgeshire" | |
31 | stateOrProvinceName_max = 64 | |
32 | ||
33 | localityName = "Locality (e.g., city)" | |
34 | localityName_default = "Cambridge" | |
35 | localityName_max = 64 | |
36 | ||
37 | organizationName = "Organization" | |
38 | organizationName_default = "distorted.org.uk" | |
39 | organizationName_max = 64 | |
40 | organizationalUnitName = "Organizational unit" | |
41 | organizationalUnitName_max = 64 | |
42 | ||
43 | commonName = "Common name" | |
44 | commonName_max = 64 | |
45 | ||
46 | emailAddress = "Email address" | |
47 | emailAddress_max = 64 | |
48 | ||
49 | ###-------------------------------------------------------------------------- | |
50 | ### CA configuration. | |
51 | ||
52 | [ca] | |
53 | default_ca = distorted-ca | |
54 | preserve = yes | |
55 | ||
56 | [distorted-ca] | |
57 | default_days = 1825 | |
58 | default_md = sha1 | |
59 | unique_subject = no | |
60 | email_in_dn = no | |
61 | private_key = private/ca.key | |
62 | certificate = ca.cert | |
63 | database = state/db | |
64 | serial = state/serial | |
65 | crlnumber = state/crlnumber | |
66 | default_crl_days = 7 | |
67 | new_certs_dir = tmp | |
68 | x509_extensions = tls-server-extensions | |
69 | crl_extensions = crl-extensions | |
70 | policy = distorted-policy | |
71 | name_opt = sep_multiline, esc_ctrl, utf8, dump_nostr, dump_unknown, space_eq, lname, align | |
72 | cert_opt = no_header, ext_parse, no_pubkey | |
73 | copy_extensions = copy | |
74 | ||
75 | [distorted-policy] | |
76 | countryName = supplied | |
77 | stateOrProvinceName = optional | |
78 | localityName = optional | |
79 | organizationName = match | |
80 | organizationalUnitName = optional | |
81 | commonName = supplied | |
82 | emailAddress = optional | |
83 | ||
84 | [crl-extensions] | |
85 | issuerAltName = email:ca@distorted.org.uk | |
86 | crlDistributionPoints=URI:http://www.distorted.org.uk/ca/distorted.crl | |
87 | ||
88 | [ca-extensions] | |
89 | basicConstraints = critical, CA:TRUE | |
90 | keyUsage = critical, keyCertSign | |
91 | subjectKeyIdentifier = hash | |
92 | subjectAltName = email:ca@distorted.org.uk | |
93 | crlDistributionPoints=URI:http://www.distorted.org.uk/ca/distorted.crl | |
94 | ||
95 | [tls-server-extensions] | |
96 | basicConstraints = critical, CA:FALSE | |
97 | keyUsage = critical, digitalSignature, keyEncipherment | |
98 | extendedKeyUsage = serverAuth | |
99 | subjectKeyIdentifier = hash | |
100 | authorityKeyIdentifier = keyid:always, issuer:always | |
101 | issuerAltName = issuer:copy | |
102 | crlDistributionPoints=URI:http://www.distorted.org.uk/ca/distorted.crl | |
103 | ||
104 | [tls-client-extensions] | |
105 | basicConstraints = critical, CA:FALSE | |
106 | keyUsage = critical, digitalSignature | |
107 | extendedKeyUsage = clientAuth | |
108 | subjectKeyIdentifier = hash | |
109 | authorityKeyIdentifier = keyid:always,issuer:always | |
110 | issuerAltName = issuer:copy | |
111 | subjectAltName = email:copy | |
112 | crlDistributionPoints=URI:http://www.distorted.org.uk/ca/distorted.crl | |
113 | ||
114 | ###----- That's all, folks -------------------------------------------------- |