[ca] / openssl.conf

### -*-conf-*-
###
### OpenSSL configuration for distorted.org.uk CA.

###--------------------------------------------------------------------------
### Defaults.

RANDFILE = /dev/urandom

###--------------------------------------------------------------------------
### Certificate request configuration.

[req]
default_bits = 3072
encrypt_key = no
default_md = sha1
utf8 = yes
x509_extensions = ca-extensions
distinguished_name = req-dn
prompt = yes

[req-dn]

countryName = "Country name"
countryName_default = "GB"
countryName_min = 2
countryName_max = 2

stateOrProvinceName = "State, province, or county"
stateOrProvinceName_default = "Cambridgeshire"
stateOrProvinceName_max = 64

localityName = "Locality (e.g., city)"
localityName_default = "Cambridge"
localityName_max = 64

organizationName = "Organization"
organizationName_default = "distorted.org.uk"
organizationName_max = 64
organizationalUnitName = "Organizational unit"
organizationalUnitName_max = 64

commonName = "Common name"
commonName_max = 64

emailAddress = "Email address"
emailAddress_max = 64

###--------------------------------------------------------------------------
### CA configuration.

[ca]
default_ca = distorted-ca
preserve = yes

[distorted-ca]
default_days = 1825
default_md = sha1
unique_subject = no
email_in_dn = no
private_key = private/ca.key
certificate = ca.cert
database = state/db
serial = state/serial
crlnumber = state/crlnumber
default_crl_days = 7
new_certs_dir = tmp
x509_extensions = tls-server-extensions
crl_extensions = crl-extensions
policy = distorted-policy
name_opt = sep_multiline, esc_ctrl, utf8, dump_nostr, dump_unknown, space_eq, lname, align
cert_opt = no_header, ext_parse, no_pubkey
copy_extensions = copy

[distorted-policy]
countryName = supplied
stateOrProvinceName = optional
localityName = optional
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

[crl-extensions]
issuerAltName = email:ca@distorted.org.uk
crlDistributionPoints=URI:http://www.distorted.org.uk/ca/distorted.crl

[ca-extensions]
basicConstraints = critical, CA:TRUE
keyUsage = critical, keyCertSign
subjectKeyIdentifier = hash
subjectAltName = email:ca@distorted.org.uk
crlDistributionPoints=URI:http://www.distorted.org.uk/ca/distorted.crl

[tls-server-extensions]
basicConstraints = critical, CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
issuerAltName = issuer:copy
crlDistributionPoints=URI:http://www.distorted.org.uk/ca/distorted.crl

[tls-client-extensions]
basicConstraints = critical, CA:FALSE
keyUsage = critical, digitalSignature
extendedKeyUsage = clientAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
issuerAltName = issuer:copy
subjectAltName = email:copy
crlDistributionPoints=URI:http://www.distorted.org.uk/ca/distorted.crl

###----- That's all, folks --------------------------------------------------
Commit	Line	Data
b294f6b5 MW	1	### --conf--
	2	###
	3	### OpenSSL configuration for distorted.org.uk CA.
	4
	5	###--------------------------------------------------------------------------
	6	### Defaults.
	7
	8	RANDFILE = /dev/urandom
	9
	10	###--------------------------------------------------------------------------
	11	### Certificate request configuration.
	12
	13	[req]
	14	default_bits = 3072
	15	encrypt_key = no
	16	default_md = sha1
	17	utf8 = yes
	18	x509_extensions = ca-extensions
	19	distinguished_name = req-dn
	20	prompt = yes
	21
	22	[req-dn]
	23
	24	countryName = "Country name"
	25	countryName_default = "GB"
	26	countryName_min = 2
	27	countryName_max = 2
	28
	29	stateOrProvinceName = "State, province, or county"
	30	stateOrProvinceName_default = "Cambridgeshire"
	31	stateOrProvinceName_max = 64
	32
	33	localityName = "Locality (e.g., city)"
	34	localityName_default = "Cambridge"
	35	localityName_max = 64
	36
	37	organizationName = "Organization"
	38	organizationName_default = "distorted.org.uk"
	39	organizationName_max = 64
	40	organizationalUnitName = "Organizational unit"
	41	organizationalUnitName_max = 64
	42
	43	commonName = "Common name"
	44	commonName_max = 64
	45
	46	emailAddress = "Email address"
	47	emailAddress_max = 64
	48
	49	###--------------------------------------------------------------------------
	50	### CA configuration.
	51
	52	[ca]
	53	default_ca = distorted-ca
	54	preserve = yes
	55
	56	[distorted-ca]
	57	default_days = 1825
	58	default_md = sha1
	59	unique_subject = no
	60	email_in_dn = no
	61	private_key = private/ca.key
	62	certificate = ca.cert
	63	database = state/db
	64	serial = state/serial
65	crlnumber = state/crlnumber
66	default_crl_days = 7
67	new_certs_dir = tmp
68	x509_extensions = tls-server-extensions
69	crl_extensions = crl-extensions
70	policy = distorted-policy
71	name_opt = sep_multiline, esc_ctrl, utf8, dump_nostr, dump_unknown, space_eq, lname, align
72	cert_opt = no_header, ext_parse, no_pubkey
73	copy_extensions = copy
74
75	[distorted-policy]
76	countryName = supplied
77	stateOrProvinceName = optional
78	localityName = optional
79	organizationName = match
80	organizationalUnitName = optional
81	commonName = supplied
82	emailAddress = optional
83
84	[crl-extensions]
85	issuerAltName = email:ca@distorted.org.uk
86	crlDistributionPoints=URI:http://www.distorted.org.uk/ca/distorted.crl
87
88	[ca-extensions]
89	basicConstraints = critical, CA:TRUE
90	keyUsage = critical, keyCertSign
91	subjectKeyIdentifier = hash
92	subjectAltName = email:ca@distorted.org.uk
93	crlDistributionPoints=URI:http://www.distorted.org.uk/ca/distorted.crl
94
95	[tls-server-extensions]
96	basicConstraints = critical, CA:FALSE
97	keyUsage = critical, digitalSignature, keyEncipherment
98	extendedKeyUsage = serverAuth
99	subjectKeyIdentifier = hash
100	authorityKeyIdentifier = keyid:always, issuer:always
101	issuerAltName = issuer:copy
102	crlDistributionPoints=URI:http://www.distorted.org.uk/ca/distorted.crl
103
104	[tls-client-extensions]
105	basicConstraints = critical, CA:FALSE
106	keyUsage = critical, digitalSignature
107	extendedKeyUsage = clientAuth
108	subjectKeyIdentifier = hash
109	authorityKeyIdentifier = keyid:always,issuer:always
110	issuerAltName = issuer:copy
111	subjectAltName = email:copy
112	crlDistributionPoints=URI:http://www.distorted.org.uk/ca/distorted.crl
113
114	###----- That's all, folks --------------------------------------------------