Almost a complete rewrite.

[ca] / etc / openssl.conf
diff --git a/openssl.conf b/etc/openssl.conf

similarity index 86%

rename from openssl.conf

rename to etc/openssl.conf

index 4ff681e..4fa74a5 100644 (file)
--- a/openssl.conf
+++ b/etc/openssl.conf
@@ -6,6 +6,7 @@
  ### Defaults.
  
  RANDFILE = /dev/urandom
+db_suffix =
  
  ###--------------------------------------------------------------------------
  ### Certificate request configuration.
@@ -13,7 +14,7 @@ RANDFILE = /dev/urandom
  [req]
  default_bits = 3072
  encrypt_key = no
-default_md = sha1
+default_md = sha256
  utf8 = yes
  x509_extensions = ca-extensions
  distinguished_name = req-dn
@@ -55,16 +56,15 @@ preserve = yes
  
  [distorted-ca]
  default_days = 1825
-default_md = sha1
+default_md = sha256
  unique_subject = no
  email_in_dn = no
  private_key = private/ca.key
  certificate = ca.cert
-database = state/db
+database = state/db$ENV::db_suffix
  serial = state/serial
  crlnumber = state/crlnumber
-default_crl_days = 7
-new_certs_dir = tmp
+default_crl_hours = 28
  x509_extensions = tls-server-extensions
  crl_extensions = crl-extensions
  policy = distorted-policy
@@ -76,21 +76,21 @@ copy_extensions = copy
  countryName = supplied
  stateOrProvinceName = optional
  localityName = optional
-organizationName = match
+organizationName = supplied
  organizationalUnitName = optional
  commonName = supplied
  emailAddress = optional
  
  [crl-extensions]
  issuerAltName = email:ca@distorted.org.uk
-crlDistributionPoints=URI:http://www.distorted.org.uk/ca/distorted.crl
+crlDistributionPoints = URI:http://www.distorted.org.uk/ca/crl
  
  [ca-extensions]
  basicConstraints = critical, CA:TRUE
  keyUsage = critical, keyCertSign
  subjectKeyIdentifier = hash
  subjectAltName = email:ca@distorted.org.uk
-crlDistributionPoints=URI:http://www.distorted.org.uk/ca/distorted.crl
+crlDistributionPoints = URI:http://www.distorted.org.uk/ca/crl
  
  [tls-server-extensions]
  basicConstraints = critical, CA:FALSE
@@ -99,7 +99,7 @@ extendedKeyUsage = serverAuth
  subjectKeyIdentifier = hash
  authorityKeyIdentifier = keyid:always, issuer:always
  issuerAltName = issuer:copy
-crlDistributionPoints=URI:http://www.distorted.org.uk/ca/distorted.crl
+crlDistributionPoints = URI:http://www.distorted.org.uk/ca/crl
  
  [tls-client-extensions]
  basicConstraints = critical, CA:FALSE
@@ -109,6 +109,6 @@ subjectKeyIdentifier = hash
  authorityKeyIdentifier = keyid:always,issuer:always
  issuerAltName = issuer:copy
  subjectAltName = email:copy
-crlDistributionPoints=URI:http://www.distorted.org.uk/ca/distorted.crl
+crlDistributionPoints = URI:http://www.distorted.org.uk/ca/crl
  
  ###----- That's all, folks --------------------------------------------------