| 1 | ### -*-conf-*- |
| 2 | ### |
| 3 | ### OpenSSL configuration for distorted.org.uk CA. |
| 4 | |
| 5 | ###-------------------------------------------------------------------------- |
| 6 | ### Defaults. |
| 7 | |
| 8 | RANDFILE = /dev/random |
| 9 | db_suffix = |
| 10 | |
| 11 | ###-------------------------------------------------------------------------- |
| 12 | ### Certificate request configuration. |
| 13 | |
| 14 | [req] |
| 15 | default_bits = 3072 |
| 16 | encrypt_key = no |
| 17 | default_md = sha256 |
| 18 | utf8 = yes |
| 19 | x509_extensions = ca-extensions |
| 20 | distinguished_name = req-dn |
| 21 | prompt = yes |
| 22 | |
| 23 | [req-dn] |
| 24 | |
| 25 | countryName = "Country name" |
| 26 | countryName_default = "GB" |
| 27 | countryName_min = 2 |
| 28 | countryName_max = 2 |
| 29 | |
| 30 | stateOrProvinceName = "State, province, or county" |
| 31 | stateOrProvinceName_default = "Cambridgeshire" |
| 32 | stateOrProvinceName_max = 64 |
| 33 | |
| 34 | localityName = "Locality (e.g., city)" |
| 35 | localityName_default = "Cambridge" |
| 36 | localityName_max = 64 |
| 37 | |
| 38 | organizationName = "Organization" |
| 39 | organizationName_default = "distorted.org.uk" |
| 40 | organizationName_max = 64 |
| 41 | organizationalUnitName = "Organizational unit" |
| 42 | organizationalUnitName_max = 64 |
| 43 | |
| 44 | commonName = "Common name" |
| 45 | commonName_max = 64 |
| 46 | |
| 47 | emailAddress = "Email address" |
| 48 | emailAddress_max = 64 |
| 49 | |
| 50 | ###-------------------------------------------------------------------------- |
| 51 | ### CA configuration. |
| 52 | |
| 53 | [ca] |
| 54 | default_ca = distorted-ca |
| 55 | preserve = yes |
| 56 | |
| 57 | [distorted-ca] |
| 58 | default_days = 1825 |
| 59 | default_md = sha256 |
| 60 | unique_subject = no |
| 61 | email_in_dn = no |
| 62 | private_key = private/ca.key |
| 63 | certificate = ca.cert |
| 64 | database = state/db$ENV::db_suffix |
| 65 | serial = state/serial |
| 66 | crlnumber = state/crlnumber |
| 67 | default_crl_hours = 28 |
| 68 | x509_extensions = tls-server-extensions |
| 69 | crl_extensions = crl-extensions |
| 70 | policy = distorted-policy |
| 71 | name_opt = sep_multiline, esc_ctrl, utf8, dump_nostr, dump_unknown, space_eq, lname, align |
| 72 | cert_opt = no_header, ext_parse, no_pubkey |
| 73 | copy_extensions = copy |
| 74 | |
| 75 | [distorted-policy] |
| 76 | countryName = supplied |
| 77 | stateOrProvinceName = optional |
| 78 | localityName = optional |
| 79 | organizationName = supplied |
| 80 | organizationalUnitName = optional |
| 81 | commonName = supplied |
| 82 | emailAddress = optional |
| 83 | |
| 84 | [crl-extensions] |
| 85 | issuerAltName = email:ca@distorted.org.uk |
| 86 | crlDistributionPoints = URI:http://www.distorted.org.uk/ca/crl |
| 87 | |
| 88 | [ca-extensions] |
| 89 | basicConstraints = critical, CA:TRUE |
| 90 | keyUsage = critical, keyCertSign |
| 91 | subjectKeyIdentifier = hash |
| 92 | subjectAltName = email:ca@distorted.org.uk |
| 93 | crlDistributionPoints = URI:http://www.distorted.org.uk/ca/crl |
| 94 | |
| 95 | [tls-server-extensions] |
| 96 | basicConstraints = critical, CA:FALSE |
| 97 | keyUsage = critical, digitalSignature, keyEncipherment |
| 98 | extendedKeyUsage = serverAuth |
| 99 | subjectKeyIdentifier = hash |
| 100 | authorityKeyIdentifier = keyid:always, issuer:always |
| 101 | issuerAltName = issuer:copy |
| 102 | crlDistributionPoints = URI:http://www.distorted.org.uk/ca/crl |
| 103 | |
| 104 | [tls-client-extensions] |
| 105 | basicConstraints = critical, CA:FALSE |
| 106 | keyUsage = critical, digitalSignature, keyEncipherment |
| 107 | extendedKeyUsage = clientAuth |
| 108 | subjectKeyIdentifier = hash |
| 109 | authorityKeyIdentifier = keyid:always,issuer:always |
| 110 | issuerAltName = issuer:copy |
| 111 | subjectAltName = email:copy |
| 112 | crlDistributionPoints = URI:http://www.distorted.org.uk/ca/crl |
| 113 | |
| 114 | ###----- That's all, folks -------------------------------------------------- |