### -*-conf-*-
###
### OpenSSL configuration for distorted.org.uk CA.

###--------------------------------------------------------------------------
### Defaults.

RANDFILE = /dev/random
db_suffix =

###--------------------------------------------------------------------------
### Certificate request configuration.

[req]
default_bits = 3072
encrypt_key = no
default_md = sha256
utf8 = yes
x509_extensions = ca-extensions
distinguished_name = req-dn
prompt = yes

[req-dn]

countryName = "Country name"
countryName_default = "GB"
countryName_min = 2
countryName_max = 2

stateOrProvinceName = "State, province, or county"
stateOrProvinceName_default = "Cambridgeshire"
stateOrProvinceName_max = 64

localityName = "Locality (e.g., city)"
localityName_default = "Cambridge"
localityName_max = 64

organizationName = "Organization"
organizationName_default = "distorted.org.uk"
organizationName_max = 64
organizationalUnitName = "Organizational unit"
organizationalUnitName_max = 64

commonName = "Common name"
commonName_max = 64

emailAddress = "Email address"
emailAddress_max = 64

###--------------------------------------------------------------------------
### CA configuration.

[ca]
default_ca = distorted-ca
preserve = yes

[distorted-ca]
default_days = 1825
default_md = sha256
unique_subject = no
email_in_dn = no
private_key = private/ca.key
certificate = ca.cert
database = state/db$ENV::db_suffix
serial = state/serial
crlnumber = state/crlnumber
default_crl_hours = 28
x509_extensions = tls-server-extensions
crl_extensions = crl-extensions
policy = distorted-policy
name_opt = sep_multiline, esc_ctrl, utf8, dump_nostr, dump_unknown, space_eq, lname, align
cert_opt = no_header, ext_parse, no_pubkey
copy_extensions = copy

[distorted-policy]
countryName = supplied
stateOrProvinceName = optional
localityName = optional
organizationName = supplied
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

[crl-extensions]
issuerAltName = email:ca@distorted.org.uk
crlDistributionPoints = URI:http://www.distorted.org.uk/ca/crl

[ca-extensions]
basicConstraints = critical, CA:TRUE
keyUsage = critical, keyCertSign
subjectKeyIdentifier = hash
subjectAltName = email:ca@distorted.org.uk
crlDistributionPoints = URI:http://www.distorted.org.uk/ca/crl

[tls-server-extensions]
basicConstraints = critical, CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
issuerAltName = issuer:copy
crlDistributionPoints = URI:http://www.distorted.org.uk/ca/crl

[tls-client-extensions]
basicConstraints = critical, CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
issuerAltName = issuer:copy
subjectAltName = email:copy
crlDistributionPoints = URI:http://www.distorted.org.uk/ca/crl

###----- That's all, folks --------------------------------------------------