[distorted-ansible] / roles / common / files / pki / openssl.conf

### -*-conf-*-
###
### OpenSSL configuration for distorted.org.uk CA.

###--------------------------------------------------------------------------
### Defaults.

RANDFILE = /dev/random
db_suffix =

###--------------------------------------------------------------------------
### Certificate request configuration.

[req]
default_bits = 3072
encrypt_key = no
default_md = sha256
utf8 = yes
x509_extensions = ca-extensions
distinguished_name = req-dn
prompt = yes

[req-dn]

countryName = "Country name"
countryName_default = "GB"
countryName_min = 2
countryName_max = 2

stateOrProvinceName = "State, province, or county"
stateOrProvinceName_default = "Cambridgeshire"
stateOrProvinceName_max = 64

localityName = "Locality (e.g., city)"
localityName_default = "Cambridge"
localityName_max = 64

organizationName = "Organization"
organizationName_default = "distorted.org.uk"
organizationName_max = 64
organizationalUnitName = "Organizational unit"
organizationalUnitName_max = 64

commonName = "Common name"
commonName_max = 64

emailAddress = "Email address"
emailAddress_max = 64

###--------------------------------------------------------------------------
### CA configuration.

[ca]
default_ca = distorted-ca
preserve = yes

[distorted-ca]
default_days = 1825
default_md = sha256
unique_subject = no
email_in_dn = no
private_key = private/ca.key
certificate = ca.cert
database = state/db$ENV::db_suffix
serial = state/serial
crlnumber = state/crlnumber
default_crl_hours = 28
x509_extensions = tls-server-extensions
crl_extensions = crl-extensions
policy = distorted-policy
name_opt = sep_multiline, esc_ctrl, utf8, dump_nostr, dump_unknown, space_eq, lname, align
cert_opt = no_header, ext_parse, no_pubkey
copy_extensions = copy

[distorted-policy]
countryName = supplied
stateOrProvinceName = optional
localityName = optional
organizationName = supplied
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

[crl-extensions]
issuerAltName = email:ca@distorted.org.uk
crlDistributionPoints = URI:http://www.distorted.org.uk/ca/crl

[ca-extensions]
basicConstraints = critical, CA:TRUE
keyUsage = critical, keyCertSign
subjectKeyIdentifier = hash
subjectAltName = email:ca@distorted.org.uk
crlDistributionPoints = URI:http://www.distorted.org.uk/ca/crl

[tls-server-extensions]
basicConstraints = critical, CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
issuerAltName = issuer:copy
crlDistributionPoints = URI:http://www.distorted.org.uk/ca/crl

[tls-client-extensions]
basicConstraints = critical, CA:FALSE
keyUsage = critical, digitalSignature
extendedKeyUsage = clientAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
issuerAltName = issuer:copy
subjectAltName = email:copy
crlDistributionPoints = URI:http://www.distorted.org.uk/ca/crl

###----- That's all, folks --------------------------------------------------
Commit	Line	Data
5fc6de27 MW	1	### --conf--
	2	###
	3	### OpenSSL configuration for distorted.org.uk CA.
	4
	5	###--------------------------------------------------------------------------
	6	### Defaults.
	7
	8	RANDFILE = /dev/random
	9	db_suffix =
	10
	11	###--------------------------------------------------------------------------
	12	### Certificate request configuration.
	13
	14	[req]
	15	default_bits = 3072
	16	encrypt_key = no
	17	default_md = sha256
	18	utf8 = yes
	19	x509_extensions = ca-extensions
	20	distinguished_name = req-dn
	21	prompt = yes
	22
	23	[req-dn]
	24
	25	countryName = "Country name"
	26	countryName_default = "GB"
	27	countryName_min = 2
	28	countryName_max = 2
	29
	30	stateOrProvinceName = "State, province, or county"
	31	stateOrProvinceName_default = "Cambridgeshire"
	32	stateOrProvinceName_max = 64
	33
	34	localityName = "Locality (e.g., city)"
	35	localityName_default = "Cambridge"
	36	localityName_max = 64
	37
	38	organizationName = "Organization"
	39	organizationName_default = "distorted.org.uk"
	40	organizationName_max = 64
	41	organizationalUnitName = "Organizational unit"
	42	organizationalUnitName_max = 64
	43
	44	commonName = "Common name"
	45	commonName_max = 64
	46
	47	emailAddress = "Email address"
	48	emailAddress_max = 64
	49
	50	###--------------------------------------------------------------------------
	51	### CA configuration.
	52
	53	[ca]
	54	default_ca = distorted-ca
	55	preserve = yes
	56
	57	[distorted-ca]
	58	default_days = 1825
	59	default_md = sha256
	60	unique_subject = no
	61	email_in_dn = no
	62	private_key = private/ca.key
	63	certificate = ca.cert
	64	database = state/db$ENV::db_suffix
65	serial = state/serial
66	crlnumber = state/crlnumber
67	default_crl_hours = 28
68	x509_extensions = tls-server-extensions
69	crl_extensions = crl-extensions
70	policy = distorted-policy
71	name_opt = sep_multiline, esc_ctrl, utf8, dump_nostr, dump_unknown, space_eq, lname, align
72	cert_opt = no_header, ext_parse, no_pubkey
73	copy_extensions = copy
74
75	[distorted-policy]
76	countryName = supplied
77	stateOrProvinceName = optional
78	localityName = optional
79	organizationName = supplied
80	organizationalUnitName = optional
81	commonName = supplied
82	emailAddress = optional
83
84	[crl-extensions]
85	issuerAltName = email:ca@distorted.org.uk
86	crlDistributionPoints = URI:http://www.distorted.org.uk/ca/crl
87
88	[ca-extensions]
89	basicConstraints = critical, CA:TRUE
90	keyUsage = critical, keyCertSign
91	subjectKeyIdentifier = hash
92	subjectAltName = email:ca@distorted.org.uk
93	crlDistributionPoints = URI:http://www.distorted.org.uk/ca/crl
94
95	[tls-server-extensions]
96	basicConstraints = critical, CA:FALSE
97	keyUsage = critical, digitalSignature, keyEncipherment
98	extendedKeyUsage = serverAuth
99	subjectKeyIdentifier = hash
100	authorityKeyIdentifier = keyid:always, issuer:always
101	issuerAltName = issuer:copy
102	crlDistributionPoints = URI:http://www.distorted.org.uk/ca/crl
103
104	[tls-client-extensions]
105	basicConstraints = critical, CA:FALSE
106	keyUsage = critical, digitalSignature
107	extendedKeyUsage = clientAuth
108	subjectKeyIdentifier = hash
109	authorityKeyIdentifier = keyid:always,issuer:always
110	issuerAltName = issuer:copy
111	subjectAltName = email:copy
112	crlDistributionPoints = URI:http://www.distorted.org.uk/ca/crl
113
114	###----- That's all, folks --------------------------------------------------