mdw@git.distorted.org.uk Git - ca/blob - openssl.conf

   1 ### -*-conf-*-
   2 ###
   3 ### OpenSSL configuration for distorted.org.uk CA.
   4
   5 ###--------------------------------------------------------------------------
   6 ### Defaults.
   7
   8 RANDFILE = /dev/urandom
   9
  10 ###--------------------------------------------------------------------------
  11 ### Certificate request configuration.
  12
  13 [req]
  14 default_bits = 3072
  15 encrypt_key = no
  16 default_md = sha1
  17 utf8 = yes
  18 x509_extensions = ca-extensions
  19 distinguished_name = req-dn
  20 prompt = yes
  21
  22 [req-dn]
  23
  24 countryName = "Country name"
  25 countryName_default = "GB"
  26 countryName_min = 2
  27 countryName_max = 2
  28
  29 stateOrProvinceName = "State, province, or county"
  30 stateOrProvinceName_default = "Cambridgeshire"
  31 stateOrProvinceName_max = 64
  32
  33 localityName = "Locality (e.g., city)"
  34 localityName_default = "Cambridge"
  35 localityName_max = 64
  36
  37 organizationName = "Organization"
  38 organizationName_default = "distorted.org.uk"
  39 organizationName_max = 64
  40 organizationalUnitName = "Organizational unit"
  41 organizationalUnitName_max = 64
  42
  43 commonName = "Common name"
  44 commonName_max = 64
  45
  46 emailAddress = "Email address"
  47 emailAddress_max = 64
  48
  49 ###--------------------------------------------------------------------------
  50 ### CA configuration.
  51
  52 [ca]
  53 default_ca = distorted-ca
  54 preserve = yes
  55
  56 [distorted-ca]
  57 default_days = 1825
  58 default_md = sha1
  59 unique_subject = no
  60 email_in_dn = no
  61 private_key = private/ca.key
  62 certificate = ca.cert
  63 database = state/db
  64 serial = state/serial
  65 crlnumber = state/crlnumber
  66 default_crl_days = 7
  67 new_certs_dir = tmp
  68 x509_extensions = tls-server-extensions
  69 crl_extensions = crl-extensions
  70 policy = distorted-policy
  71 name_opt = sep_multiline, esc_ctrl, utf8, dump_nostr, dump_unknown, space_eq, lname, align
  72 cert_opt = no_header, ext_parse, no_pubkey
  73 copy_extensions = copy
  74
  75 [distorted-policy]
  76 countryName = supplied
  77 stateOrProvinceName = optional
  78 localityName = optional
  79 organizationName = match
  80 organizationalUnitName = optional
  81 commonName = supplied
  82 emailAddress = optional
  83
  84 [crl-extensions]
  85 issuerAltName = email:ca@distorted.org.uk
  86 crlDistributionPoints=URI:http://www.distorted.org.uk/ca/distorted.crl
  87
  88 [ca-extensions]
  89 basicConstraints = critical, CA:TRUE
  90 keyUsage = critical, keyCertSign
  91 subjectKeyIdentifier = hash
  92 subjectAltName = email:ca@distorted.org.uk
  93 crlDistributionPoints=URI:http://www.distorted.org.uk/ca/distorted.crl
  94
  95 [tls-server-extensions]
  96 basicConstraints = critical, CA:FALSE
  97 keyUsage = critical, digitalSignature, keyEncipherment
  98 extendedKeyUsage = serverAuth
  99 subjectKeyIdentifier = hash
 100 authorityKeyIdentifier = keyid:always, issuer:always
 101 issuerAltName = issuer:copy
 102 crlDistributionPoints=URI:http://www.distorted.org.uk/ca/distorted.crl
 103
 104 [tls-client-extensions]
 105 basicConstraints = critical, CA:FALSE
 106 keyUsage = critical, digitalSignature
 107 extendedKeyUsage = clientAuth
 108 subjectKeyIdentifier = hash
 109 authorityKeyIdentifier = keyid:always,issuer:always
 110 issuerAltName = issuer:copy
 111 subjectAltName = email:copy
 112 crlDistributionPoints=URI:http://www.distorted.org.uk/ca/distorted.crl
 113
 114 ###----- That's all, folks --------------------------------------------------